Bugtraq mailing list archives

Re: SSH 1.x and 2.x Daemon

From: woods () MOST WEIRD COM (Greg A. Woods)
Date: Tue, 9 Feb 1999 13:46:09 -0500


[ On Monday, February 8, 1999 at 12:08:28 (-0500), Tibor Toronyi wrote: ]

Subject: Re: SSH 1.x and 2.x Daemon

As a side note (after checking into this problem), I noticed that the
server code ONLY checks for "*LK*" in the password field to see if the
person is disabled.  Not sure of other places but we've had to modify the
code a bit so that instead of

    if ((strncmp(passwd,"*LK*", 4) == 0)

I'd recommend

    if ((strchr (passwd, '*') != (char *) NULL)


I noticed this some time ago too (October 1997) and I even submitted
patches to not only avoid hard-coding the uncommonly used "*LK*" string
but to in fact to obey the real rule used by the standard Unix to lock
an account, which is to check if the length of the encrypted password
field.

No standard Unix 64-bit password can ever be encoded as anything but 11
characters plus 2 more for the "salt".  Any field that is less than 13
characters can never match a valid password and will always result in a
locked account.  To be ultra careful any field longer than 13 characters
should be searched for illegal characters, i.e. any non-alpha-numeric or
not '.' and '/'.  However in practice one can also assume that any field
longer than 13 characters results in a locked account.

(This would then require custom checks to be added for systems such as
FreeBSD which don't use the standard Unix DES 64-bit password
encryption, but that's not so hard to do.  I didn't submit patches for
FreeBSD at the time because I didn't use FreeBSD at the time.)

Of course the relative importance of this test is quite low as it only
assists in debugging on the server side.  Note that in ssh-1.x sshd.c
only employs this test *after* check to see if the client user responded
with a valid password.  Ssh-2.x checks if the account is locked before
going to the trouble of validating the supplied password, but I think
the effect is the same from the client's perspective.  (There are too
many goto's in that code! ;-)

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>

Current thread:

Re: SSH 1.x and 2.x Daemon Tibor Toronyi (Feb 08)
- Another Windows98 Bug... Scott (Feb 09)
  - Re: Another Windows98 Bug... Jensen Allan AJE (Feb 12)
    - mc & Segmentation fault shaman (Feb 12)
    - Re: Another Windows98 Bug... Nick Lamb (Feb 12)
- Re: SSH 1.x and 2.x Daemon Brandon S. Allbery (Feb 09)
- Re: SSH 1.x and 2.x Daemon Greg A. Woods (Feb 09)
  - Re: SSH 1.x and 2.x Daemon Casper Dik (Feb 11)
    - Re: SSH 1.x and 2.x Daemon Kevin Vajk (Feb 12)
  - Rainbow Six Buffer Overflow..... Brian Gemberling (Feb 11)
- Access 97 Password Unmasker Nate Lawson (Feb 09)
- Lynx /tmp problem Juan Diego Bolanos (Feb 09)
  - Re: Lynx /tmp problem Theo de Raadt (Feb 11)
  - Re: Lynx /tmp problem Glynn Clements (Feb 12)
    - Re: Lynx /tmp problem Piotr Klaban (Feb 15)
- <Possible follow-ups>
- Re: SSH 1.x and 2.x Daemon der Mouse (Feb 11)
- Re: SSH 1.x and 2.x Daemon Ronny Cook (Feb 11)