openssh bugs - Nov 2003 - [Bug 758] if authorized keys exchanged, regular user can gain

http://bugzilla.mindrot.org/show_bug.cgi?id=758

           Summary: if authorized keys exchanged, regular user can gain
           Product: Portable OpenSSH
           Version: 3.6.1p2
          Platform: ix86
               URL: http://www.mainelinesys.com
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: P2
         Component: ssh
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: curtis at maurand.com


If an authorized key (~/.ssh/authorized_keys2) for root on one machine has been
exchanged to
another machine and a normal user issues, from the first machine, ssh -l root
machine2, The
normal user on machine one will be logged in as root on machine2. 
 
Steps to recreate: 
On Machine #1: 
1. 	Make yourself root 
2.	ssh-keygen -b 2048 -t dsa 
3.	scp .ssh/id_dsa.pub root at machine2:/root (you must enter a password at this
point)
4.	exit the root shell to normal shell 
 
On Machine #2: 
1.	Make yourself root 
2.	cat id_dsa.pub >>.ssh/authorized_keys2 
3.	logout 
 
On Machine #1: 
(note, you should be a normal user now.) 
1.	ssh -l root machine2 
2.  	You are now logged into machine #2 as root without entering a password. 
 
Thought you should know this.  I tested between 2 RedHat 9.0 machines.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=758





------- Additional Comments From dtucker at zip.com.au  2003-11-13 15:45 -------
Please attach (note: use "create attachment", don't paste into a
comment) the
output of "ssh -vvv -l root machine2" from your last step.

Also, is your ssh program setuid root?  Can you reproduce with the current 
version (3.7.1p2)?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=758





------- Additional Comments From mouring at eviladmin.org  2003-11-13 17:40
-------
I can't reproduce this on any platform I own.

$ echo ~/
/home/mouring/
$ id
uid=1001(mouring) gid=1001(mouring) groups=1001(mouring), 0(wheel), 1000(cvs)
$ su
Password:
# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):

Check your ~user/.ssh/ vs check your ~root/.ssh/

ssh being setuid or not will not make a bit of difference because such a case is
already handled by ssh.c:main().

- Ben



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=758





------- Additional Comments From jason at devrandom.org  2003-11-13 17:59
-------
I can't reproduce this on Linux (Redhat 9, Fedora Core1 and Gentoo) at all:

jason at sith jason $ pwd
/home/jason
jason at sith jason $ id
uid=500(jason) gid=100(users) groups=100(users),10(wheel)
jason at sith jason $ su -
Password:
sith root # cd .ssh/
sith .ssh # ls
known_hosts
sith .ssh # ssh-keygen -b 2048 -t dsa
sith .ssh # ls
id_dsa  id_dsa.pub  known_hosts
sith .ssh # scp id_dsa.pub root at banshee:/root
root at banshee's password:
id_dsa.pub                                    100% 1111     0.0KB/s   00:00
sith .ssh # exit



[root at banshee root]# ls
anaconda-ks.cfg  id_dsa.pub  install.log  install.log.syslog  mail  sslcert
[root at banshee root]# cat id_dsa.pub >> .ssh/authorized_keys2
[root at banshee root]#


jason at sith jason $ ssh root at banshee
root at banshee's password:
Last login: Thu Nov 13 19:45:03 2003 from sith.devrandom.org
[root at banshee root]#


Are you sure you're not somehow still logged in as root or have root's
key
somehow stored in your SSH Agent?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.