[!CrackMonkey!] [vab@CRYPTNET.NET: OpenSSH 3.4p1 Privsep (fwd)]

Shawn McMahon smcmahon at eiv.com
Tue Sep 17 10:22:14 PDT 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----- Forwarded message from "V. Alex Brennen" <vab at CRYPTNET.NET> -----

Date:         Tue, 17 Sep 2002 13:13:42 -0400
From: "V. Alex Brennen" <vab at CRYPTNET.NET>
Subject:      OpenSSH 3.4p1 Privsep (fwd)
To: LINUX-L at LISTS.UFL.EDU
Reply-To: Platform Independent Linux List! <LINUX-L at LISTS.UFL.EDU>

OK, it's time to fork openSSH.  Someone set up a FreeSSH website and
send a bunch of gripes about Theo to the list.  Feel free to copy
from the BSD archive.


        - VAB

- ---------- Forwarded message ----------
Date: Mon, 16 Sep 2002 17:48:42 -0400 (EDT)
From: Andrew Danforth <acd at weirdness.net>
To: bugtraq at securityfocus.com
Subject: OpenSSH 3.4p1 Privsep

During authentication, OpenSSH 3.4p1 with privsep enabled passes the
cleartext password from the main process to the privsep child using a
pipe.  Using strace or truss, root can see the user's plaintext password
flying by.  I observed this behavior from OpenSSH 3.4p1 built using GCC on
Solaris 2.8 and the current Debian OpenSSH 3.4p1 package.

Theo and Markus tell me that this is not an issue.  Theo says that you
cannot prevent root from determining a user's password.  I don't disagree,
but asked why OpenBSD bothers to encrypt user passwords at all if that is
his attitude.

The level of effort to determine cleartext passwords, for even the most
inexperienced Unix administrator, is almost zero given the above.  I
realize that no matter how you slice it, it will be possible for root to
grab the password from wherever it's stored in memory.  Or recompile sshd
to log the password, or any number of other ways.  However, the methods I
just mentioned all require someone with significantly more know how than:

        truss -fp `cat /var/run/sshd.pid`

I'm not saying this is a bug, rather I thought it worthwhile to share with
the community and let you all come to your own conclusions.

Andrew

- ----- End forwarded message -----

- -- 
Shawn McMahon            | Now is the time we should be celebrating
AIM work: spmcmahonfedex | the Constitution and the rule of law,
AIM home: smcmahoneiv    | not abandoning it. - Neal Boortz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj2HZMYACgkQEcl9bQ0RMt2sfgCg1TTm33ZTXSbNLd4/3ZGCtFd/
I1EAoP1jFyCueon2qKujMZKESLb33LNG
=vSWi
-----END PGP SIGNATURE-----

More information about the Crackmonkey mailing list