[KLUG Members] [Fwd: SSH hole allows full control]

[Adam Tauno Williams]

Just thought this one was worthy to note.  Of course I've ***NEVER*** 
heard of or seen anyone use ssh in the manner described in this article
(one or two character passwords) and anyone who did use it that was
deserves everything that may come to them.  And I have no idea what these
"several administrative accounts" are,  neither my Linux or AIX boxes came
with anything that could be described as such.  nobody, etc...,  all have
a shell of /bin/false,  good luck logging.....
---------------------------------------------------------
Hole Found in SSH Remote Access Software for Unix
By Joris Evers

A flaw in SSH Secure Shell 3.0.0 remote access software for Unix could 
allow attackers to get full control over servers and workstations 
running various flavors of Unix, software maker SSH Communications 
Security Corp. warned.

The problem lies in the software's password authentication. Accounts 
with passwords that consist of two or fewer characters can be accessed 
without entering a password at all, SSH said in a statement on its Web 
site.

Such a short password isn't likely for a regular user account, but is 
common for several administrative accounts used to manage specific 
parts of the server. These accounts, which are installed by default 
when the operating system is installed, have standard login names and 
passwords and are normally only accessible locally.

"Although these administrative accounts have few privileges, it is 
fairly easy to move on, become root, and gain full access over the 
machine," said Janne Saarikko, product manager for Secure Shell at SSH 
in Finland, in an interview.

Millions of people worldwide use SSH Secure Shell; the software has 
become the de-facto standard for encrypted terminal connections and 
secure file transfers, according to SSH. The software is provided free 
for academic and noncommercial use, which adds to its popularity. SSH 
qualifies the flaw as "a serious problem" and advises all users of 
Secure Shell 3.0.0 to immediately upgrade to version 3.0.1.

SSH Secure Shell 3.0.0 for Unix workstations is also flawed. 
Unauthorized users could access the system if the user has the "sshd2" 
daemon for remote access running, SSH said.

"The workstation can be used as a limited server, which is quite 
common," Saarikko said.

Affected systems are various versions of Sun Microsystems Inc.'s 
Solaris and Hewlett-Packard Co.'s HP-UX as well as various Linux 
versions from Red Hat Inc., Caldera Systems Inc. and SuSE Linux AG, SSH 
said. 

Version 3.0.0 of Secure Shell has only been on the market since June 
21, which mitigates the seriousness of the flaw, according to SSH.

"This version hasn't gone out to many customers," Saarikko said.

Jurrien Wijlhuizen, who manages 10 servers running Debian Linux at the 
Amsterdam-based Internet services company GUTS Digital Communications 
BV and uses Secure Shell, agreed.

"The flaw has no consequences for us. We use an older version of Secure 
Shell, a version that has been around for a while and has a proven 
track record. The newer version might have more features, but that 
doesn't weigh up against the security risk," he said.

Wijlhuizen qualified the hole as "a big goof up" by SSH and said that 
serious damage could be done to vulnerable machines, including deleting 
the entire system and accessing other systems connected to the Unix box.