COMMAND

    ssh

SYSTEMS AFFECTED

    FreeBSD

PROBLEM

    Following  is  based  on  FreeBSD  Security  Advisory.   SSH is an
    implementation  of  the  Secure   Shell  protocol  for   providing
    encrypted  and  authenticated   communication  between   networked
    machines.

    A patch added  to the FreeBSD  SSH port on  2000-01-14 incorrectly
    configured the SSH daemon to listen on an additional network port,
    722, in addition  to the usual  port 22. This  change was made  as
    part of  a patch  to allow  the SSH  server to  listen on multiple
    ports, but the  option was incorrectly  enabled by default.   This
    may cause a  violation of security  policy if the  additional port
    is not subjected to  the same access-controls (e.g.  firewallling)
    as the standard SSH port.

    Note this is not a vulnerability associated with the SSH  software
    itself, and  it is  not likely  to be  a risk  for the majority of
    installations,  since  a  remote  user  must  still have valid SSH
    credentials in  order to  access the  SSH server  on the alternate
    port.   The  risk  is  that  users  may  be able to access the SSH
    server from IP  addresses which are  prohibited to connect  to the
    standard port.

    Remote users with valid SSH credentials may access the ssh  server
    on a  non-standard port,  potentially bypassing  IP address access
    controls on  the standard  SSH port.   If you  have not  chosen to
    install the ssh port/package, or installed it prior to  2000-01-14
    or after 2000-04-21,  then your system  is not vulnerable  to this
    problem.

SOLUTION

    FreeBSD 4.0 ships with OpenSSH,  a free implementation of the  SSH
    protocol,  included  within  the  base  system.   OpenSSH does not
    suffer from this misconfiguration.

    Workaround is one of the following:

      1) Comment out the line "Port 722" in /usr/local/etc/sshd_config
         and restart sshd
      2) Add  filtering rules  to your  perimeter firewall,  or on the
         local machine  (using ipfw  or ipf)  to limit  connections to
         port 722.
      3) Deinstall the ssh port/package, if you you have installed it.

    Solution is one of the following:

      1) Upgrade your entire ports collection and rebuild the ssh port
      2) download a new port skeleton for the ssh port from:
         http://www.freebsd.org/ports/
         and use it  to rebuild the  port. Note that  packages are not
         provided for the ssh port.