Re: [SECURITY] [DSA-134-2] Unknown OpenSSH remote vulnerability

[kruskal <kruskal@my-deja.com>]

Mark Janssen <maniac@maniac.nl> writes:

> On Tue, 2002-06-25 at 15:57, Kruskal wrote:
> > Has anyone applied this update yet?  I did so on a potato box, enabled
> > priv separation in the sshd config file and restarted sshd.  I saw
> > that a user called sshd was created.  However, when I ssh'ed in, I
> > didn't see any processes owned by sshd.  In fact, the ssh daemon
> > process was still owned by root.
> 
> I noticed this as well.. and decided to roll my own version, and include
> a patch for setproctitle support, this to aide debugging.
> 
> It in fact does work, but the 'sshd' process from the 'sshd' user only
> exists before login.

Looks like this is the way it happens under potato as well.  Looking
into it, I see the initial sshd sitting idle created by root.  Then
when I initially connect, but before I am authenticated, a child
process owned by sshd is created.  ps fauwx looks like:

root      8159  1.0  0.6  2544 1228 ?        S    09:20   0:00 /usr/sbin/sshd
root      8162  1.1  0.8  4380 1596 ?        S    09:21   0:00  \_ /usr/sbin/sshd
sshd      8163  5.5  0.7  3964 1472 ?        S    09:21   0:00      \_ /usr/sbin/sshd

Then when I give the password, that sshd owned process goes away, leaving:

root      8159  0.5  0.6  2544 1228 ?        S    09:20   0:00 /usr/sbin/sshd
root      8162  0.2  0.8  5620 1680 ?        S    09:21   0:00  \_ /usr/sbin/sshd
user      8166  0.3  0.9  5632 1752 ?        S    09:21   0:00      \_ /usr/sbin/sshd
user      8167  1.0  0.6  2016 1240 pts/0    S    09:21   0:00          \_ -bash

So it looks to me like priv sep is working on potato.  At this point,
is it safe to open up a public server?

-- 
--Kruskal


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org