openssh unix dev - Jun 2000 - OpenSSH's UseLogin option allows remote access with root privilege.

OpenSSH's UseLogin option allows remote access with root privilege.

1. Systems affected:

	The default installation of OpenSSH is not vulnerable, since           
	UseLogin defaults to 'no'.  However, if UseLogin is enabled,           
	all versions of OpenSSH prior to 2.1.1 are affected.  

2. Description:

        If the UseLogin option is enabled the OpenSSH server (sshd)
        does not switch to the uid of the user logging in. Instead,
        sshd relies on login(1) to do the job. However, if the user
        specifies a command for remote execution login(1) cannot
        be used and sshd fails to set the correct user id.  The
        command is run with the same privilege as sshd (usually
        with root privilege).

3. Impact:

        If the administrator enables UseLogin users can get privileged
        access to the server running sshd.

4. Short Term Solution:

        Do not enable UseLogin on your machines or disable UseLogin
        again in /etc/sshd_config:
		UseLogin no

5. Solution:

	Upgrade to OpenSSH-2.1.1 or apply the attached patch.
	OpenSSH-2.1.1 is available from www.openssh.com.


Appendix:

1. OpenSSH-1.2.2

--- sshd.c.orig	Thu Jan 20 18:58:39 2000
+++ sshd.c	Tue Jun  6 10:12:00 2000
@@ -2231,6 +2231,10 @@
 	struct stat st;
 	char *argv[10];
 
+	/* login(1) is only called if we execute the login shell */
+	if (options.use_login && command != NULL)
+		options.use_login = 0;
+
 	f = fopen("/etc/nologin", "r");
 	if (f) {
 		/* /etc/nologin exists.  Print its contents and exit. */

2. OpenSSH-1.2.3

--- sshd.c.orig	Mon Mar  6 22:11:17 2000
+++ sshd.c	Tue Jun  6 10:14:07 2000
@@ -2250,6 +2250,10 @@
 	struct stat st;
 	char *argv[10];
 
+	/* login(1) is only called if we execute the login shell */
+	if (options.use_login && command != NULL)
+		options.use_login = 0;
+
 	f = fopen("/etc/nologin", "r");
 	if (f) {
 		/* /etc/nologin exists.  Print its contents and exit. */

3. OpenSSH-2.1.0

--- session.c.orig	Wed May  3 20:03:07 2000
+++ session.c	Tue Jun  6 10:10:50 2000
@@ -744,6 +744,10 @@
 	struct stat st;
 	char *argv[10];
 
+	/* login(1) is only called if we execute the login shell */
+	if (options.use_login && command != NULL)
+		options.use_login = 0;
+
 	f = fopen("/etc/nologin", "r");
 	if (f) {
 		/* /etc/nologin exists.  Print its contents and exit. */

EOF

>>>>> "Markus" == Markus Friedl <markus.friedl at
informatik.uni-erlangen.de> writes:
    Markus> OpenSSH's UseLogin option allows remote access with root
    Markus> privilege.  1. Systems affected:

    Markus> 	The default installation of OpenSSH is not vulnerable,
    Markus> since UseLogin defaults to 'no'.  However, if UseLogin is
    Markus> enabled, all versions of OpenSSH prior to 2.1.1 are
    Markus> affected.

Could you clarify if the following lines from 
http://www.openbsd.org/plus.html are true than?

"Do not use the (non-default) UseLogin option in OpenSSH 2.1.*, it has a
hole on other operating systems and does not work right in OpenBSD."
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Is OpenBSD with "UseLogin yes" vulnerable or not (even though it's
not
default)?

Bye
Greg

> Is OpenBSD with "UseLogin yes" vulnerable or not (even though
it's not
> default)?
all systems running OpenSSH with UseLogin=yes are vulnerable.

however, it was not possible for me to make this

	$ ssh openbsdhost id

work on OpenBSD+OpenSSH+UseLogin.