COMMAND

    SSH

SYSTEMS AFFECTED

    SSH 1.x and 2.x

PROBLEM

    Raymond T. Sundland found following.  There seems to be incomplete
    code in the  SSH daemon in  both versions 1.2.27  and 2.0.11 (only
    tested).  The  bug simply allows  users who with  expired accounts
    (in  /etc/shadow)  to  continue  to  login  even though other such
    services such  as ftp  and telnet  deny access.   Here is  the log
    using 1.2.27 (but the same happens with 2.0.11).

        [root@epicenter /etc]# chage -l lamer
        Minimum:        3
        Maximum:        30
        Warning:        5
        Inactive:       -1
        Last Change:            Jan 01, 1999
        Password Expires:       Jan 31, 1999
        Password Inactive:      Never
        Account Expires:        Jan 22, 1999
        [root@epicenter /etc]# date
        Sat Jan 23 13:57:51 PST 1999
        [root@epicenter /etc]# telnet localhost
        Trying 127.0.0.1...
        Connected to localhost.
        Escape character is '^]'.
        login: lamer
        Password:
        Your account has expired.  Please contact the system administrator.
        Connection closed by foreign host.
        [root@epicenter /etc]# ssh1 -l lamer localhost
        lamer@127.0.0.1's password:
        No mail.
        (lamer@epicenter) lamer>

        .......

    Now Raymond wanted  to try whether  the account expiration  worked
    using SSH, and it  does.  If a  user's password has expired,  then
    SSH will prompt following  the login for the  user to enter a  new
    password  and  disconnect  them  if  they  fail  to (like a telnet
    would).  This was tested under:

        Linux 2.0.36
        Shadow Utilities 980724
        SSH 1.2.26 and 2.0.11 (both daemons)

    Furthermore, according to Alan  Olsen, if the account  is disabled
    in /etc/passwd  and a  user logs  in via  a public  key, they  are
    still allowed  access.   (So just  diabling a  user account is not
    enough anymore.   You have  to look  for uses  of public  keys  as
    well).  This may not exist  in the 2.x series (not tested  in this
    case), but it does occur  in the 1.2.x series (latest  version not
    tested).

    Note that this is not the case with ssh 1.1.26 running on  FreeBSD
    2.2.8.  It  seems to be  a bug of  configure script.   After quick
    observation  for  source  code,  possibly-vulnerable   environment
    is

    - sshd 1.2.26 on
      * Linux, Irix5, Irix6, Ultrix, Convex
    - sshd 2.0.11 on
      * Almost all platform with account expiration and without usersec.h(?)

    To check whether the sshd is vulnerable, execute the command

        strings sshd | grep expire

    and see whether the message for ACCOUNT expiration is exist (There
    may be a message for password  expiration).  It seems that in  ssh
    1.2.26,  checking  shadow  passwd  existence  is  bypassed on some
    platforms.  However, checking  sp_expire existence is done  in the
    bypassed section of configure script.  In ssh 2.0.11, no  checking
    seems to be done for sp_expire. (true?)

SOLUTION

    In SSH 1.2.26 adding the -DHAVE_STRUCT_SPWD_EXPIRE to the Makefile
    in the top of  the SSH tree with  fix the problem.   In SSH 2.0.11
    adding      the      same       -DHAVE_STRUCT_SPWD_EXPIRE       to
    ssh-2.0.11/lib/sshsession/Makefile.  In both case, you should  add
    it to the 'defs =' section.