Bug#639330: openssh-server doesn't check if user's shell is listed in /etc/shells

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#639330: openssh-server doesn't check if user's shell is listed in /etc/shells
From: Lubomir Host <rajo@platon.sk>
Date: Fri, 26 Aug 2011 02:39:03 +0200
Message-id: <20110826003903.GK6774@athena.platon.sk>
Reply-to: Lubomir Host <rajo@platon.sk>, 639330@bugs.debian.org

Package: openssh-server
Version: 1:5.8p1-7
Severity: important


openssh-server doesn't check if user's shell is listed in /etc/shells.
This is a potencional security hole. If somebody removes user's shell
from  /etc/passwd, sshd permits login to the user with shell /bin/sh.

This is an insecure behaviour of openssh on Debian. Others systems may be
affected too.


# ssh -l rajo localhost
rajo@localhost's password:
Last login: Fri Aug 26 02:28:05 2011 from localhost
$ id
uid=1000(rajo) gid=1000(rajo) groups=1000(rajo)
$ getent passwd rajo
rajo:x:1000:1000:Lubomir Host,,,:/home/rajo:
$ ps
  PID TTY          TIME CMD
 5243 pts/8    00:00:00 sh
 5372 pts/8    00:00:00 ps


FIX: add the following line to /etc/pam.d/common-auth

# Check /etc/shells on login
account       required   pam_shells.so

Check the system:
# ssh -l rajo localhost -p 22
rajo@localhost's password: 
Connection closed by 127.0.0.1

This is a correct (secure) behaviour.

Best regards,
Lubomir Host


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=sk_SK, LC_CTYPE=sk_SK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser            3.113                 add and remove users and groups
ii  debconf [debconf-2 1.5.41                Debian configuration management sy
ii  dpkg               1.16.0.3              Debian package management system
ii  libc6              2.13-17               Embedded GNU C Library: Shared lib
ii  libcomerr2         1.42~WIP-2011-07-02-1 common error description library
ii  libgssapi-krb5-2   1.9.1+dfsg-2          MIT Kerberos runtime libraries - k
ii  libkrb5-3          1.9.1+dfsg-2          MIT Kerberos runtime libraries
ii  libpam-modules     1.1.3-2               Pluggable Authentication Modules f
ii  libpam-runtime     1.1.3-2               Runtime support for the PAM librar
ii  libpam0g           1.1.3-2               Pluggable Authentication Modules l
ii  libselinux1        2.0.98-1.1            SELinux runtime shared libraries
ii  libssl1.0.0        1.0.0d-3              SSL shared libraries
ii  libwrap0           7.6.q-21              Wietse Venema's TCP wrappers libra
ii  lsb-base           3.2-27                Linux Standard Base 3.2 init scrip
ii  openssh-client     1:5.8p1-7             secure shell (SSH) client, for sec
ii  procps             1:3.2.8-11            /proc file system utilities
ii  zlib1g             1:1.2.3.4.dfsg-3      compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist             0.4.1      list of default blacklisted OpenSS
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.6-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                  <none>      (no description available)
pn  monkeysphere                 <none>      (no description available)
pn  rssh                         <none>      (no description available)
ii  ssh-askpass                  1:1.2.4.1-9 under X, asks user for a passphras
pn  ufw                          <none>      (no description available)



-- debconf information excluded

Reply to:

Prev by Date: Bug#599399: NIS groups
Next by Date: Bug#639376: ssh key exchange blocked by checkpoint firewall
Previous by thread: Bug#599399: NIS groups
Next by thread: Bug#639376: ssh key exchange blocked by checkpoint firewall
Index(es):
- Date
- Thread