[KLUG Members] [Fwd: SSH hole allows full control]

[Jamie McCarthy]

awilliam@whitemice.org (Adam Tauno Williams) writes:

> Just thought this one was worthy to note.

It is.

> Of course I've ***NEVER*** heard of or seen anyone use ssh in the
> manner described in this article (one or two character passwords)
> and anyone who did use it that was deserves everything that may
> come to them.

This article has its facts wrong.

> Hole Found in SSH Remote Access Software for Unix
> By Joris Evers
[...]
> Accounts with passwords that consist of two or fewer characters
> can be accessed without entering a password at all, SSH said in a
> statement on its Web site.

The actual flaw is that accounts whose _encrypted_ passwords
consist of two or fewer characters (some sources say exactly
two) can be accessed without entering a password at all.

It's a little complicated and it's too early for me to explain
it all out, but consider that unix crypt() uses the plaintext
first two characters of a password as its salt, and that these
two chars appear in the /etc/shadow file, and you'll start to
get the drift.  Basically OpenSSH's biggest flaw was that your
entry in /etc/shadow could be "!!", and you could enter
anything at all for a password, and it would salt-crypt your
attempt with "!!", producing a result whose first two chars
were "!!", and it would only compare against however long the
entry in /etc/shadow was... a real, real boneheaded mess.

Many flavors of unix use "*", "!", or "!!" as entries in
/etc/shadow that are supposed to mean "don't let anyone log
into this account, ever."  OpenSSH interpreted them to mean
"let everyone log into this account, without a password."
Oops.
--
 Jamie McCarthy
 jamie@mccarthy.vg