COMMAND

    OpenSSH

SYSTEMS AFFECTED

	See below

PROBLEM

    Markus Friedl found following.   OpenSSH's UseLogin option  allows
    remote access with  root privilege.   The default installation  of
    OpenSSH  is  not  vulnerable,  since  UseLogin  defaults  to 'no'.
    However, if UseLogin is enabled, all versions of OpenSSH prior  to
    2.1.1 are affected.

    If the UseLogin option is  enabled the OpenSSH server (sshd)  does
    not switch  to the  uid of  the user  logging in.   Instead,  sshd
    relies on login(1) to do the job.  However, if the user  specifies
    a command for  remote execution login(1)  cannot be used  and sshd
    fails to set  the correct user  id.  The  command is run  with the
    same privilege as sshd (usually with root privilege).

    If the  administrator enables  UseLogin users  can get  privileged
    access to the server running sshd.

SOLUTION

    Do not enable UseLogin on your machines or disable UseLogin  again
    in /etc/sshd_config:

        UseLogin no

    Upgrade to OpenSSH-2.1.1 or apply the attached patch (2.1.2):

    --- sshd.c.orig	Thu Jan 20 18:58:39 2000
    +++ sshd.c	Tue Jun  6 10:12:00 2000
    @@ -2231,6 +2231,10 @@
 	    struct stat st;
 	    char *argv[10];

    +	/* login(1) is only called if we execute the login shell */
    +	if (options.use_login && command != NULL)
    +		options.use_login = 0;
    +
 	    f = fopen("/etc/nologin", "r");
 	    if (f) {
 		    /* /etc/nologin exists.  Print its contents and exit. */

    OpenSSH-1.2.3:

    --- sshd.c.orig	Mon Mar  6 22:11:17 2000
    +++ sshd.c	Tue Jun  6 10:14:07 2000
    @@ -2250,6 +2250,10 @@
 	    struct stat st;
 	    char *argv[10];

    +	/* login(1) is only called if we execute the login shell */
    +	if (options.use_login && command != NULL)
    +		options.use_login = 0;
    +
 	    f = fopen("/etc/nologin", "r");
 	    if (f) {
 		    /* /etc/nologin exists.  Print its contents and exit. */

    OpenSSH-2.1.0

    --- session.c.orig	Wed May  3 20:03:07 2000
    +++ session.c	Tue Jun  6 10:10:50 2000
    @@ -744,6 +744,10 @@
 	    struct stat st;
 	    char *argv[10];

    +	/* login(1) is only called if we execute the login shell */
    +	if (options.use_login && command != NULL)
    +		options.use_login = 0;
    +
 	    f = fopen("/etc/nologin", "r");
 	    if (f) {
 		    /* /etc/nologin exists.  Print its contents and exit. */

    The  patch  above  is  for  the  OpenBSD version, not the portable
    version.  Updated Red Hat Linux packages are now available at

        ftp://ftp.redhat.de/pub/rh-addons/security/current

    Direct download links to updated packages for Conectiva Linux:

    ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1p1-1cl.i386.rpm
    ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-2.1.1p1-1cl.i386.rpm
    ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpass-gnome-2.1.1p1-1cl.i386.rpm
    ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clients-2.1.1p1-1cl.i386.rpm
    ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-server-2.1.1p1-1cl.i386.rpm
    ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5a-1cl.i386.rpm
    ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel-0.9.5a-1cl.i386.rpm

:      2000-06-11
    For FreeBSD  set 'UseLogin  No' in  your /etc/ssh/sshd_config file
    and restart  the SSH  server by  issuing the  following command as
    root:

        # kill -HUP `cat /var/run/sshd.pid`

    This  will  cause  the  parent  process  to respawn and reread its
    configuration file,  and should  not interfere  with existing  SSH
    sessions.  Note that a bug in sshd (discovered during  preparation
    of this advisory, fixed  in FreeBSD 5.0-CURRENT and  4.0-STABLE as
    of 2000-07-03) means that it will fail to restart correctly unless
    it  was   originally  invoked   with  an   absolute  path    (i.e.
    "/usr/sbin/sshd" instead of "sshd").  Therefore you should  verify
    that the server is still running after you deliver the HUP signal:

        # ps -p `cat /var/run/sshd.pid`
          PID  TT  STAT      TIME COMMAND
         2110  ??  Ss     0:00.97 /usr/sbin/sshd

    If the  server is  no longer  running, restart  it by  issuing the
    following command as root:

        # /usr/sbin/sshd

    Solution is one of the following:

    1) Upgrade  to  FreeBSD  4.0-STABLE  or  5.0-CURRENT  after    the
       correction date.  Note  that these versions of  FreeBSD contain
       a newer  version of  OpenSSH than  was in  4.0-RELEASE, version
       2.1, which  provides enhanced  functionality including  support
       for the SSH2 protocol and DSA keys.

    2) Save this advisory as a file and extract the relevant patch for
       your version  of FreeBSD,  or download  the relevant  patch and
       detached PGP signature from the following location:
        # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch
        # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch.asc
       Verify the detached signature using your PGP utility.

       Issue the following commands as root:
        # cd /usr/src/crypto/openssh
        # patch -p < /path/to/patch/or/advisory
        # cd /usr/src/secure/lib/libssh
        # make all
        # cd /usr/src/secure/usr.sbin/sshd
        # make all install
        # kill -HUP `cat /var/run/sshd.pid`

    Patch:

    Index: sshd.c
    ===================================================================
    RCS file: /home/ncvs/src/crypto/openssh/sshd.c,v
    retrieving revision 1.6
    diff -u -r1.6 sshd.c
    --- sshd.c	2000/03/09 14:52:31	1.6
    +++ sshd.c	2000/07/04 03:40:46
    @@ -2564,7 +2564,13 @@
 	    char *argv[10];
     #ifdef LOGIN_CAP
 	    login_cap_t *lc;
    +#endif
    
    +	/* login(1) is only called if we execute the login shell */
    +	if (options.use_login && command != NULL)
    +		options.use_login = 0;
    +
    +#ifdef LOGIN_CAP
 	    lc = login_getpwclass(pw);
 	    if (lc == NULL)
 		    lc = login_getclassbyname(NULL, pw);