Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Portable OpenSSH Security Advisory: sshpam.adv
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Wed, 24 Sep 2003 12:58:11 +0200 (MEST)
  • Message-id: <Pine.LNX.4.58.0309241254390.8068@xxxxxxxxxxxx>
>
> Please see below for details of another openssh advisory.
>
> Is the current patched version of SuSE vulnerable to this attack?

No, because that versions (2 versions) is not used in any SuSE product.

> The advisory warns that we are vulnerable if privsep is disabled - the
> most recent patch from SuSE disabled privsep by default!
>
> I like the idea of privsep, please can somebody at SuSE answer the
> following:
>
> 1. How do I re-enable privsep - is it enough to turn it on in the
> sshd_config?

Yes, and restarting/reloading the sshd process.

> 2. What is the problem with enabling privsep in the latest release?

Calling PAM routines is not suitable if not running as root. It just
doesn't work.

> 3. How do I check that privsep is actually working - there doesn't seem
> to be any record of it in the syslog.

Look at the processes while you are logged on via ssh. You should be able
to see that the sshd uses another uid.

> 4. I am used to restricting access to many services via the hosts.allow
> - will this help if there is an sshd exploit?
>

Yes. That's a sign for experience if you're using tcp_wrappers.
Independently from hosts.allow, access can be restricted in sshd_config,
too.

> Thanks
> Simon Oliver

You're welcome.

Roman.

< Previous Next >
Follow Ups
References