BugTraq
Re: Fwd: [BID 7482, bug in OpenSSH (Still in FreeBSD-STABLE)] Apr 13 2004 03:37PM
des des no (Dag-Erling Smørgrav)
"Felipe Neuwald" <felipe.neuwald (at) loreno.com (dot) br [email concealed]> writes:
> felipe@worm felipe $ ssh -l root host
> Password:
> Password:
> Password:
> root@host's password:
> Permission denied, please try again.
> root@host's password:
> Permission denied, please try again.
> root@host's password:
> Permission denied (publickey,password,keyboard-interactive).

The first three prompts you see here are from PAM (working through
keyboard-interactive authentication), and the last three from password
authentication. You probably shouldn't have both enabled at the same
time (though they are both enabled by default for historical reasons).
This is not really relevant to you problem, though.

> And now, trying login as root to the system, but typing the correct
> password:
>
> felipe@worm felipe $ ssh -l root host
> Password:
> Connection to host closed by remote host.
> Connection to host closed.

This is an old bug in OpenSSH which has been fixed in more recent
versions.

> It's easy to make one little program to discover with bruteforce the
> correct password of the root login.

True, but it would be *very* slow, and it would fill the target
system's logs with warnings from sshd.

Brute-forcing a good N-character password takes about 60^N / 2
attempts on average. The effective limit on password length in
FreeBSD, provided you use MD5 passwords (which is the default), is
somewhere north of 500 characters (imposed by the PAM conversation
API's 512-byte limit on prompts and responses)

> But... why still FreeBSD-STABLE are running this version of OpenSSH?

Because newer versions don't support Kerberos 4, and we don't want to
de-support Kerberos 4 so late in the RELENG_4 branch's life cycle.
FreeBSD 5, on the other hand, does not support Kerberos 4 (we dropped
it a year ago almost to the day), and has OpenSSH 3.8p1. I have
verified that it does not exhibit the bug you found in -STABLE.

You could try to install OpenSSH 3.8 from ports, but I've had several
reports of problems with DSA host keys when using the port.

BTW, in the future, I would appreciate if you could raise issues such
as this on the freebsd-security (at) freebsd (dot) org [email concealed] mailing list before taking
them to BUGTRAQ.

DES
--
Dag-Erling Smørgrav - des (at) des (dot) no [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus