Re: SSH password capture

[Scott Beardsley <scott () CSE UCDAVIS EDU>]

> what
> is everyone else doing to manage system updates in their *nix (and/or
> heterogeneous) environments?

We are 100% linux so we aren't exactly heterogeneous but we do use both
debian-based and redhat-based distros. For system updates we maintain a
on-site mirror of all third-party software, all our machines point to it
(we disable the fastestmirror "feature"). On some systems we enable auto
updates[1,2], on others we prefer to update manually. We use puppet for
config management and cobbler for provisioning.

> We recently found trojan openssh programs on a few machines, busy =
> logging passwords in and out.

Hopefully you've reinstalled these machines, forced a password change
for all users, and notified your users. Any idea how they got in?

> I just wondered if anyone else had been hit by this,

Not since we disabled passwords on our ssh servers. We are lucky in that
we don't store *any* passwords or pasword hashes on our machines. So
even if the bad guys get in they aren't going to get too far.

If you do move to keys-only access be sure to have a mechanism to audit
your users' keys against a blacklist. There are a ton of keys out there
that are "known compromised" (ahem debian ahem).

Scott
------------
[1]
http://linuxsoft.cern.ch/cern/slc55/updates/x86_64/SRPMS/repoview/yum-autoupdate.html
[2] https://wiki.ubuntu.com/AutomaticUpdates