No this has a nasty bite

No this has a nasty bite

[Prentis Brooks]

Alright, this is a problem... Corinna, if you happen to have a quick
solution before I start trying to dig around in the source, please let me
know.

Here is the problem:

You have RSA Authentication enabled and running as user foo on port 22.  You
have another Daemon running SSH with password authentication on port 26.  If
user bar sets up RSA keys in his/her home directory and then connects to
port 22, it will authenticate him/her via the keys in bar's home directory
and then promptly drop them to the shell as foo... this is bad.


Any ideas on how to:

1) Identify who the RSA enabled process is running under
2) Once one is known, ensure that the user coming in is the user we are
running under, rejecting if not.

Prentis


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

[ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a nasty bite]

[Corinna Vinschen]

Prentis Brooks wrote:
> You have RSA Authentication enabled and running as user foo on port 22.  You
> have another Daemon running SSH with password authentication on port 26.  If
> user bar sets up RSA keys in his/her home directory and then connects to
> port 22, it will authenticate him/her via the keys in bar's home directory
> and then promptly drop them to the shell as foo... this is bad.

Should be solved in my new version. You will find it in

ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/V1.1.1

files

	openssh-1.2.2-2.README
	openssh-1.2.2-2.tar.gz
	openssh-1.2.2-2.diff


Have fun,
Corinna

-- 
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

RE: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a nasty bite]

[Prentis Brooks]

Thanks Corinna,
	I will not be in the office until Tuesday (Memorial Day holiday here in the
US).  At that time I will apply your updated binaries and continue from
there.  Also, I quickly glanced through the diff file but did not see how
you corrected this... or at least you corrected it in a way completely
different from what I was looking to do.  Would you mind telling me how you
solved the problem of unauthorized access to a another account?
(specifically, being able to login to RSA enabled SSHD eventhough your RSA
key is not part of that SSHD's user's authorized_key file.)

-----Original Message-----
From: corinna@snoopy.vinschen.de [ mailto:corinna@snoopy.vinschen.de]On
Behalf Of Corinna Vinschen
Sent: Saturday, May 27, 2000 5:35 PM
To: Prentis Brooks
Cc: Cygwin
Subject: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a
nasty bite]


Prentis Brooks wrote:
> You have RSA Authentication enabled and running as user foo on port 22.
You
> have another Daemon running SSH with password authentication on port 26.
If
> user bar sets up RSA keys in his/her home directory and then connects to
> port 22, it will authenticate him/her via the keys in bar's home directory
> and then promptly drop them to the shell as foo... this is bad.

Should be solved in my new version. You will find it in

ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Cori
nna/V1.1.1

files

	openssh-1.2.2-2.README
	openssh-1.2.2-2.tar.gz
	openssh-1.2.2-2.diff


Have fun,
Corinna

--
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a nasty bite]

[Corinna Vinschen]

Prentis Brooks wrote:
> different from what I was looking to do.  Would you mind telling me how you
> solved the problem of unauthorized access to a another account?
> (specifically, being able to login to RSA enabled SSHD eventhough your RSA
> key is not part of that SSHD's user's authorized_key file.)

Password authentication leads to a valid hToken, any
other authentication leads to hToken == INVALID_HANDLE_VALUE.
So after authentication I check for non-password authentication
and equality of getuid() to uid of authenticated user.

==== SNIP ====
@@ -1498,6 +1529,13 @@ do_authloop(struct passwd * pw)
                        break;
                }

+#ifdef __CYGWIN__
+                if (is_winnt && hToken == INVALID_HANDLE_VALUE &&
+                    authenticated && getuid() != pw->pw_uid) {
+                        packet_disconnect("Authentication rejected for
uid %d.", (int) pw->pw_uid);
+                        authenticated = 0;
+                }
+#endif
                /* Raise logging level */
                if (authenticated ||
                    attempt == AUTH_FAIL_LOG ||
==== SNAP ====

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

RE: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a nasty bite]

[Prentis Brooks]

Corinna,
	your patches work great, one last quick question, then I am done, I hope
:).  There is apparently an RSAREF patch out there with a buffer overflow
problem, I am still trying to track down the patch number.  If you happen to
know of it, did you apply that patch to the OpenSSL code?  If you don't know
of the one I am talking about, then I guess there is not much we can do
until I find that patch number ;)

Thanks

-----Original Message-----
From: cygwin-owner@sourceware.cygnus.com
[ mailto:cygwin-owner@sourceware.cygnus.com]On Behalf Of Corinna Vinschen
Sent: Sunday, May 28, 2000 5:25 AM
To: Prentis Brooks
Cc: cygwin
Subject: Re: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has
a nasty bite]


Prentis Brooks wrote:
> different from what I was looking to do.  Would you mind telling me how
you
> solved the problem of unauthorized access to a another account?
> (specifically, being able to login to RSA enabled SSHD eventhough your RSA
> key is not part of that SSHD's user's authorized_key file.)

Password authentication leads to a valid hToken, any
other authentication leads to hToken == INVALID_HANDLE_VALUE.
So after authentication I check for non-password authentication
and equality of getuid() to uid of authenticated user.

==== SNIP ====
@@ -1498,6 +1529,13 @@ do_authloop(struct passwd * pw)
                        break;
                }

+#ifdef __CYGWIN__
+                if (is_winnt && hToken == INVALID_HANDLE_VALUE &&
+                    authenticated && getuid() != pw->pw_uid) {
+                        packet_disconnect("Authentication rejected for
uid %d.", (int) pw->pw_uid);
+                        authenticated = 0;
+                }
+#endif
                /* Raise logging level */
                if (authenticated ||
                    attempt == AUTH_FAIL_LOG ||
==== SNAP ====

Corinna

--
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a nasty bite]

[Corinna Vinschen]

Prentis Brooks wrote:
> Corinna,
>         your patches work great, one last quick question, then I am done, I hope
> :).  There is apparently an RSAREF patch out there with a buffer overflow
> problem, I am still trying to track down the patch number.  If you happen to
> know of it, did you apply that patch to the OpenSSL code?  If you don't know
> of the one I am talking about, then I guess there is not much we can do
> until I find that patch number ;)

RSAREF isn't used in the openSSL port.

Corinna

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

RE: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a nasty bite]

[Prentis Brooks]

Yes, that is the error I am trying to resolve... but after digging through
the OpenSSL source.... is RSAREF compiled in, or is it using SSLeay?  Or
does it matter?  *grin*

-----Original Message-----
From: Richard Hitt [ mailto:rbh00@netcom.com ]
Sent: Tuesday, May 30, 2000 3:02 PM
To: Prentis Brooks
Subject: Re: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has
a nasty bite]


Hi All

I came across what might be a related URL:
http://www.ssh.com/products/ssh/patches/patch-ssh-1.2.27-rsaref.buffer.overf
low

hth

Richard

On Tue, 30 May 2000 14:19:27 -0400, you wrote:

>Corinna,
>	your patches work great, one last quick question, then I am done, I hope
>:).  There is apparently an RSAREF patch out there with a buffer overflow
>problem, I am still trying to track down the patch number.  If you happen
to
>know of it, did you apply that patch to the OpenSSL code?  If you don't
know
>of the one I am talking about, then I guess there is not much we can do
>until I find that patch number ;)
>
>Thanks
>
>-----Original Message-----
>From: cygwin-owner@sourceware.cygnus.com
>[ mailto:cygwin-owner@sourceware.cygnus.com]On Behalf Of Corinna Vinschen
>Sent: Sunday, May 28, 2000 5:25 AM
>To: Prentis Brooks
>Cc: cygwin
>Subject: Re: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has
>a nasty bite]
>
>
>Prentis Brooks wrote:
>> different from what I was looking to do.  Would you mind telling me how
>you
>> solved the problem of unauthorized access to a another account?
>> (specifically, being able to login to RSA enabled SSHD eventhough your
RSA
>> key is not part of that SSHD's user's authorized_key file.)
>
>Password authentication leads to a valid hToken, any
>other authentication leads to hToken == INVALID_HANDLE_VALUE.
>So after authentication I check for non-password authentication
>and equality of getuid() to uid of authenticated user.
>
>==== SNIP ====
>@@ -1498,6 +1529,13 @@ do_authloop(struct passwd * pw)
>                        break;
>                }
>
>+#ifdef __CYGWIN__
>+                if (is_winnt && hToken == INVALID_HANDLE_VALUE &&
>+                    authenticated && getuid() != pw->pw_uid) {
>+                        packet_disconnect("Authentication rejected for
>uid %d.", (int) pw->pw_uid);
>+                        authenticated = 0;
>+                }
>+#endif
>                /* Raise logging level */
>                if (authenticated ||
>                    attempt == AUTH_FAIL_LOG ||
>==== SNAP ====
>
>Corinna
>
>--
>Corinna Vinschen
>Cygwin Developer
>Cygnus Solutions, a Red Hat company
>
>--
>Want to unsubscribe from this list?
>Send a message to cygwin-unsubscribe@sourceware.cygnus.com


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com