Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- OpenSSH can mess up Linux-PAM's pam_access
- Petr Pisar
May 26, 2005, 8:40 pm
rate this thread
I have found out, that if attacker can fake forward and reverse DNS
lookups, then pam_access can think the attacker is connected from
somewhere else (e.g. from priviledge host).
Let's have these steps:
1. /etc/security/access.conf at victim's server:
-:root:ALL EXCEPT 127.0.0.1
and /etc/pam.d/sshd contains:
account required pam_access.so
2. attacker connect's from 188.8.131.52 to the server
3. sshd does gethostbyaddr("184.108.40.206")
4. attacker response "localhost."
5. sshd does gethostbyname("localhost.")
6. attacker response "220.127.116.11"
7. sshd finds out DNS check passed and sets PAM_RHOST to "localhost"
8. sshd invokes PAM authentication proccess via pam_authenticate()
9. libpam invokes indirectely match_from() in pam_access.so
10. match_from() does gethostbyname("localhost")
11. match_from() recives properly "127.0.0.1"
12. match_from() found match in /etc/security/access.conf
13. and finaly pam_access returns PAM_SUCCESS
Proposed fix: sshd should always put rhost IP address to the PAM.
pam_access is vulnerable only if config file contains domain names. On
the other hand configuration based on IP addresses is resistent.
Re: OpenSSH can mess up Linux-PAM's pam_access
XSSO says that PAM_RHOST is "The remote host name." You can make sshd
use an IP address by setting "UseDNS no" in sshd_config.
The underlying problem is that the configuration is using an untrusted
source of data (ie DNS) for authentication decisions.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum