Re: SSH 1.x and 2.x Daemon

[yutaka () OIWA SHIBUYA TOKYO JP (Yutaka OIWA)]

> > On Sat, 23 Jan 1999 17:06:44 -0500, KuRuPTioN <kuruption () CHA0S COM> said:

KuRuPTioN> There seems to be incomplete code in the SSH daemon in both versions 1.2.27
KuRuPTioN> and 2.0.11 (only tested).  The bug simply allows users who with expired
KuRuPTioN> accounts (in /etc/shadow) to continue to login even though other such
KuRuPTioN> services such as ftp and telnet deny access.  Here is the log using 1.2.27
KuRuPTioN> (but the same happens with 2.0.11).

It seems to be a bug of configure script.  As my quick observation
for source code, possibly-vulnerable environment is

  - sshd 1.2.26 on
      * Linux, Irix5, Irix6, Ultrix, Convex
  - sshd 2.0.11 on
      * Almost all platform with account expiration and without
        usersec.h(?)

To check whether the sshd is vulnerable, execute the command

  strings sshd | grep expire

and see whether the message for ACCOUNT expiration is exist.
(There may be a message for password expiration)

Adding
  #define HAVE_STRUCT_SPWD_EXPIRE 1
to appropriate header file (do after ./configure) may solve the
problem (sorry, not tested).

Detail:
  In ssh 1.2.26, checking shadow passwd existence is bypassed on
  some platforms. However, checking sp_expire existence is done
  in the bypassed section of configure script.
  In ssh 2.0.11, no checking seems to be done for sp_expire. (true?)

--
Yutaka Oiwa      Yonezawa Lab., Department of Information Science,
                          Faculty of Science, University of Tokyo.
  Email: <oiwa () is s u-tokyo ac jp>, <yutaka () oiwa shibuya tokyo jp>
PGP fingerprint = C9 8D 5C B8 86 ED D8 07  EA 59 34 D8 F4 65 53 61