Re: trojaned SSHD ?
From: David Foster (foster@dim.ucsd.edu)Date: 09/21/01
- Previous message: Neil Dickey: "Re: trojaned SSHD ?"
- Maybe in reply to: Karthik Krishnamurthy: "trojaned SSHD ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200109211613.JAA01321@dim.ucsd.edu> Date: Fri, 21 Sep 2001 09:13:53 -0700 (PDT) From: David Foster <foster@dim.ucsd.edu> Subject: Re: trojaned SSHD ? To: FOCUS-SUN@securityfocus.com
>
> Hi,
>
> On Fri, Sep 21, 2001 at 06:16:33AM +0530, Karthik Krishnamurthy wrote:
> >
> > output of strings /usr/local/sbin/sshd | more
> >
> > ...skipping
> > ls -alni /tmp/. 2>/dev/null
> > w 2>/dev/null
> > netstat -s 2>/dev/null
> > netstat -an 2>/dev/null
> > netstat -in 2>/dev/null
> > /dev/random
> >
> > Looks very suspicious. Anybody else seen something like this ?
>
> Yes! It's some entropy gathering from within the default sshd. If no
> random device is present sshd is able to calculate some PRNs using entropy
> provided by net statitics, etc...
>
> <snip>
I'd recommend moving to OpenSSH, which supports both ssh1 and ssh2
protocols quite well, and is reported to be more secure. You might
also want to use one of the available /dev/[u]random random number
generators that's available, they really speed up connection time.
I've attached my notes on our OpenSSH installs on multiple
platforms, including Solaris. Hope this is helpful.
Dave Foster
<< All opinions expressed are mine, not the University's >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
David Foster National Center for Microscopy and Imaging Research
Programmer/Analyst University of California, San Diego
dfoster@ucsd.edu Department of Neuroscience, Mail 0608
(858) 534-7968 http://ncmir.ucsd.edu/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
SSH.INFO 12-06-99 DSFoster
Information relevant to the installation of SSH on NCMIR systems.
Installation of OpenSSH 2.5.2p2
-------------------------------------------------------------------------------
* Install Zlib 1.1.2 libraries, compiling from source, on Solaris and IRIX
platforms, into /usr/local/lib:
cd /usr/local/src/zlib-1.1.2
./configure; make; make install
-------------------------------------------------------------------------------
* Install OpenSSL 0.9.6 , compiling from source on Solaris, and
IRIX platforms. On Solaris use Workshop 5.0 cc, on IRIX use
native cc (must use Configure to specify compiler explicitly on
SGIs).
Solaris and Tru64 UNIX:
[On Tru64 system extract tarball locally and install from there...
otherwise you get NFS errors]
cd /usr/local/src/openssl-0.9.6
./config --prefix=/usr/local --openssldir=/usr/local/openssl
make; make test; make install
IRIX:
cd /usr/local/src/openssl-0.9.6
./Configure --prefix=/usr/local --openssldir=/usr/local/openssl irix-mips3-cc \
tee Install.IRIX
make | tee -a Install.IRIX
make test | tee -a Install.IRIX
make install | tee -a Install.IRIX
Directories created in /usr/local/openssl:
certs Initially empty, this is the default location
for certificate files.
man/man1 Manual pages for the 'openssl' command line tool
man/man3 Manual pages for the libraries (very incomplete)
misc Various scripts.
private Initially empty, this is the default location
for private key files.
Installs in /usr/local:
bin Contains the openssl binary and a few other
utility programs.
include/openssl Contains the header files needed if you want to
compile programs with libcrypto or libssl.
lib Contains the OpenSSL library files themselves.
-------------------------------------------------------------------------------
* For SunOS systems ONLY: Install PCRE (Posix Regular Expression Library)
Required for BSD systems, for compatibility.
ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/
./configure; make; make install
Then run:
./libtool --finish /usr/local/lib
-------------------------------------------------------------------------------
* Install OpenSSH 2.5.2 , compiling from source, on all platforms,
into /usr. Put all binaries in /usr/bin, put config files in /etc/openssh,
use IPv4 by default, specify location of OpenSSL libraries, install
pre-formatted man pages (avoid BSD/SysV incompatibilities). On Solaris
use 64-bit Sun compiler, on SunOS use gcc, on IRIX and Tru64 use native
cc compiler.
Compile on Hamming (Solaris 2.8), Ranvier (IRIX 6.5.9), Ganesa (Tru64),
and Pitstop (SunOS 4.1.4).
[Compile on Solaris 2.8 so it uses the "largefiles" libraries and
can support files > 2GB, and make sure 64-bit Sun commpiler is
used.]
[On Tru64 system extract tarball locally and install from there...
otherwise you get NFS errors]
On SOLARIS systems install the random number generator package
ANDIrand-0.6-5.[6,8]-sparc-1.pkg . This is a kernel module that
emulates /dev/[u]random:
http://www.cosy.sbg.ac.at/~andi/
Solaris 2.6:
pkgadd -d ~foster/Programs/OpenSSH/ANDIrand-0.6-5.6-sparc-1.pkg
Solaris 8:
pkgadd -d ~foster/Programs/OpenSSH/ANDIrand-0.6-5.8-sparc-1.pkg
System-Dependent Pre-Compile Steps
----------------------------------
On SOLARIS only make sure 64-bit Sun compiler is used:
source /.cshrc
set CC=/usr/local/SunWorkshop_5.0/SUNWspro/bin/cc
set path = (/usr/local/SunWorkshop_5.0/SUNWspro/bin $path)
On IRIX only first do:
# Ensure it doesn't find /usr/local/bin/gcc
source /.cshrc
set CC=cc
On SUNOS only do:
# Make sure it uses gcc (otherwise get errors about openssl not found)
# (have /usr/local/bin in path)
source /.ncmir_env
On non-Solaris compilation machines do:
cd /usr/local/src/openssh-2.5.2p2
make distclean
./configure --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc/openssh \
--sbindir=/usr/bin --with-ipv4-default --with-ssl-dir=/usr/local/lib \
--with-catman=cat
Solaris: If you are using /dev/random for entropy generator use instead:
cd /usr/local/src/openssh-2.5.2p2
./configure --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc/openssh \
--sbindir=/usr/bin --with-ipv4-default --with-ssl-dir=/usr/local/lib \
--with-catman=cat \
--with-random=/dev/urandom
*************************************************************************
**** FOR Solaris SYSTEMS ************************************************
*************************************************************************
For large-file support add to CFLAGS in ./Makefile and
./openbsd-compat/Makefile :
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
*************************************************************************
*************************************************************************
**** FOR SunOS SYSTEMS **************************************************
*************************************************************************
You'll need to change the following line in the Makefile:
LIBS=-lz -lcrypto
LIBS=-lz -lcrypto -Xlinker -Bstatic -lpcreposix -lpcre -Xlinker -Bdynamic
and edit `config.h' (created by ./configure) to
/* Define if you lack native POSIX regex and you are using PCRE */
#define HAVE_LIBPCRE
*************************************************************************
make
Then on each host to install man pages, programs, and generates host-key:
*************************************************************************
**** FOR SGI SYSTEMS ****************************************************
*************************************************************************
IMPORTANT: For SGI remove "-s" from $(INSTALL) commands which install
the binaries, in the Makefile; BSD compatibility mode will be used
which means that this means "strip" the binaries. This results in
an annoying warning msg everytime one of the binaries is run.
-------------------------------------------------------------------------
IMPORTANT: May need to dit the Makefile and change definition of
"mansubdir" to "man" or "cat" (SGI configure sets this blank, so man
pages get put into /usr/man/1 for example!
*************************************************************************
NOTE: The remaining steps are included in the following script, which
will need to be updated for each new version:
~foster/Bin/ssh_upgrade
Save existing /etc/openssh for old 2.5.1p1 version to backup, and install:
mkdir /etc/openssh.2.5.1p1
cp -r /etc/openssh/* /etc/openssh.2.5.1p1
cd /usr/local/src/openssh-2.5.2p2
make install
make host-key
Migrate local modifications of ssh_config and sshd_config files into
/etc/openssh (OpenSSH):
pushd /etc/openssh
/usr/local/bin/cp -f ssh_config ssh_config.default
/usr/local/bin/cp -f sshd_config sshd_config.default
/usr/local/bin/cp -f ~foster/Sysadmin/Config/OpenSSH/ssh_config .
chown root ssh_config
chmod 644 ssh_config
/usr/local/bin/cp -f ~foster/Sysadmin/Config/OpenSSH/sshd_config .
chown root sshd_config
chmod 644 sshd_config
popd
Change location of sshd binary in /etc/init.d/sshd to /usr/bin
and restart daemon (Solaris and IRIX):
/etc/init.d/sshd start
(SunOS: Edit /etc/rc.local and restart sshd daemon manually.)
(Tru64: /sbin/rc3.d/S91sshd start )
To generate host-key manually for host do:
make host-key
Notes from installation (Solaris):
OpenSSH configured has been configured with the following options.
User binaries: /usr/bin
User binaries: /usr/bin
System binaries: /usr/bin
Configuration files: /etc/openssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/man/manX
PID file: /etc/openssh
Random number collection: Builtin (timeout 200)
Manpage format: man
PAM support: yes
KerberosIV support: no
AFS support: no
S/KEY support: no
TCP Wrappers support: no
MD5 password support: no
IP address in $DISPLAY hack: no
Use IPv4 by default hack: yes
Translate v4 in v6 hack: no
Host: sparc-sun-solaris2.6
Compiler: gcc
Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/include
-I/usr/local/lib/include
Linker flags: -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib
-L/usr/local/lib/lib -L/usr/local/lib -R/usr/local/lib/lib \
-R/usr/local/lib
Libraries: -ldl -lsocket -lnsl -lz -lpam -lcrypto
WARNING: you are using the builtin random number collection service.
Please read WARNING.RNG and request that your OS vendor includes
/dev/random in future versions of their OS.
Upgrade from 2.5.1p1 to 2.5.2p2:
[Also see my summary in SSH mailbox ~foster/Mail/SSH.]
> Sun UltraSparc 80 running Solaris 8 02/00, OpenSSL 0.96, OpenSSH 2.5.1p1
> Any attempt to connect using SSH2 results in the message:
> Received disconnect from x.y.z.p: 2: Bad packet length <random large integer>
> Attempts to connect using SSH1 are successful.
AES/Rijndael is broken for portable OpenSSH upto and including 2.5.1p1
(2.5.2p2 is OK) on bigendian machines (like your UltraSparc). An upgrade
will fix.
Note about ciphers from Steve Lamont's friend:
> 3DES and IDEA both offer excellent security and resistance to attack,
> but are fairly slow. Blowfish with a 128 bit key takes a while to set
> up, but the cypher itself runs very fast and provides very good security.
>
> "ArcFour" - RC4 before RSA let go of it - is a very fast stream (as opposed
> to block) cypher which provides excellent performance and security as well.
> (DES, 3DES, IDEA, Blowfish are all block cyphers. The principal difference
> is that to use a stream cypher for network traffic you can't have packets
> or bytes re-ordered. For a TCP connection this isn't an issue).
>
> When I use SSH I usually use Blowfish.
Notes on modifications for upgrade from 2.3.0 to 2.5.1:
Added/changed in ssh_config:
# Add to enable RhostsRSAAuthentication. Otherwise defaults
# to ~/.ssh/identity
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/identity
PubkeyAuthentication yes
KeepAlive yes
# When "yes" or "ask" prevents connection when host key has changed,
# no longer prompts user.
StrictHostKeyChecking no
Added/changed in sshd_config:
# Dont have ssh display motd (displays twice!)
PrintMotd no
Notes on /dev/random alternatives:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANDIrand random number generator installed on our Solaris 2.[6,8]
systems:
http://www.cosy.sbg.ac.at/~andi/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
On Thu, Feb 08, 2001 at 04:33:39PM -0500, Steve Bigley wrote:
> OpenSSH on Solaris is less than optimal. It prefers to use /dev/rand for
> the TCP sequence packet numbering, which doesn't exist on Solaris (and some
> other platforms, as well). Instead, for Solaris, they use a software-based
> algorithm that is much slower. It would be nice if Solaris implemented
> /dev/rand because I like OpenSSH as well, but until then, if you're using
> ssh heavily on a Solaris box, it's better to use a different flavor of ssh.
I am happily running OpenSSH on Solaris. In fact there are two other
possibilities to feed OpenSSH with random numbers (See ./configure --help).
Solaris /dev/random module by Andreas Maier
http://www.cosy.sbg.ac.at/~andi/
The module creates the pseudo device /dev/random (/dev/urandom is also
added eventhough it is working exactly as /dev/random). The random data
is collected from the high resolution kernel timer on each open, read
and write call. The code for the random number pool has been taken from
Linux kernel.
Entropy Gathering Daemon
http://www.lothar.com/tech/crypto/
The entropy gathering daemon is a little perl script that collects
entropy by running programs like 'w' and 'iostat', 'vmstat', ...
Data can be read and written through a unix socket.
As far as I know the Linux random device isn't that bad and the
Entropy Gathering Daemon was created as an addition to GPG, therefore I
assume both sources might generate "good" randomness.
Regards,
Konrad Rieck <kr@r0q.cx>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I've found that the Sun SUNWski package is available seperately from Sun.
It's included in patches 10675[456]-01. But they are not available for
download from SunSolve. [...] But from:
NOTE: Doesn't work with Solaris 8 (DSFoster)
106754-01 - Security and Performance domestic (US only) Patch [README]
http://freeware4sun.wroc.pl/patches/zip/106754-01.tar.gz
http://freeware4sun.wroc.pl/patches/README/106754-01.README
106755-01 - Security and Preformance international Patch [README]
http://freeware4sun.wroc.pl/patches/zip/106755-01.tar.gz
http://freeware4sun.wroc.pl/patches/README/106755-01.README
106756-01 - Security and Performance domestic (US/CANADA) Patch [README]
http://freeware4sun.wroc.pl/patches/zip/106756-01.tar.gz
http://freeware4sun.wroc.pl/patches/README/106756-01.README
I downloaded this patch (106754-01) from sunsolve just last week. It
contains the SUNWski package. I just pulled it out from the patch and
installed just that package.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The Entropy Gathering Daemon from
http://www.lothar.com/tech/crypto/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PRNGD which the OpenSSH people seems to think is nice...
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/prngd.html
*********************************************************************
*********************************************************************
Older SSH-1 1.2.26 and 1.2.27 installations
*********************************************************************
*********************************************************************
General Installation:
Compile for each platform, and then do a "make install" on
each host to install binaries and man pages in /usr/{bin,man}.
Compilation:
-----------
cd /usr/local/src/ssh-1.2.27/src
./configure --prefix=/usr --without-rsh --with-etcdir=/etc/ssh
make
Installation:
------------
Modify src/Makefile:
- Change sbindir to be ${exec_prefix}/bin (not sbin)
- Change piddir to be /var/adm (not /var/run)
make install
Create /etc/ssh/{ssh_config, sshd_config} files:
cd /etc/ssh
rcp proteus:/etc/ssh/ssh_config .
rcp proteus:/etc/ssh/sshd_config .
and then update the IP address in sshd_config .
Startup files: /etc/init.d/sshd and /etc/rc2.d/S99sshd link
rcp dim:/etc/init.d/sshd /etc/init.d
cd /etc/rc2.d
ln -s ../init.d/sshd S99sshd
Be sure the startup file 'sshd' references /usr/bin and not /usr/sbin.
Remember:
--------
Machine-dependent configuration file stored in /etc/ssh/ (be
sure to update the sshd_config and ssh_config from
protues' copy which has been changed for NCMIR's setup; also
remember to change the "ListenAddress" in the sshd_config file)
Specific Instructions:
SGI:
---
Compile on Crepitus using gcc.
Add the following to src/scp.c:
#include <sys/types.h>
#include <sys/dir.h>
- - - - - - - - - - - - - - - - - - - - - -
Useful information related to SSH:
Created: 7-28-99 DSFoster
Hi Dave:
Here is what I am doing for sshd on amnesiac:
1. Compiled /usr/local/src/ssh-1.2.26/ on pitstop with:
./configure --prefix=/usr/local/apps/ssh-1.2.26 \
--without-rsh --with-etcdir=/etc/ssh
make
2. On amnesiac do:
make hostinstall
3. Copy /etc/ssh/sshd_config and ssh_config from other clients and
modify sshd_config ListenAddress entry
4. Test by running ssh on another machine to amnesiac and from
amnesiac to another machine
5. Post-install:
I've modified /etc/rc.local also to start ssh server upon bootup.
Mona
Also from the /usr/local/src/README.NCMIR, I have:
SSH 1.2.26 (Secure Shell):
Downloaded from ftp://sunsite.unc.edu/pub/packages/security/ssh/
Package stored in /usr/local/src/ssh-1.2.26/
Compiled and installed on proteus (SGI 6.2) (see
NCMIR.README.sgi), alex (SunOS 4.1.4) (see
NCMIR.README.sun), and blinky (Solaris 2.6) (see
script in NCMIR.README.solaris)
Did "make hostinstall" as instructed by the INSTALL file on
amnesiac, blinky, camshaft, crepitus, dim, eel, gappy,
golgi, hi, knack, pitstop, ranvier, szechuan
Machine-dependent configuration file stored in /etc/ssh/ (be
sure to update the sshd_config and ssh_config from
protues' copy which has been changed for NCMIR's setup; also
remember to change the "ListenAddress" in the
sshd_config file)
User binaries installed in /usr/local/apps/ssh-1.2.26/
Man pages installed in /usr/local/man/man1/:
make-ssh-known-hosts.1, make-ssh-known-hosts1.1, scp.1,
scp1.1, slogin.1, slogin1.1, ssh-add.1, ssh-add1.1,
ssh-agent.1, ssh-agent1.1, ssh-keygen.1, ssh-keygen1.1,
ssh.1, ssh1.1
Man pages installed in /usr/local/man/man8/:
sshd.8, sshd1.8
- - - - - - - - - - - - - - - - - - - - - -
NCMIR sshd_config file:
#
# NOTE: This file has been modified for NCMIR setup.
# If you are going to make any changes to this setup, sccs an editable
# copy from proteus:/etc/ssh/ and then copy the new one to all our unix
# machines; the only exception is that the "ListenAddress" variable
# should be different on each machine so if you modify that variable
# you do not need to SCCS the change on proteus
#
# This is ssh server systemwide configuration file.
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_key
RandomSeed /etc/ssh/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 300
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts no
StrictModes yes
QuietMode no
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
UseLogin no
CheckMail yes
PidFile /etc/ssh/sshd.pid
# AllowHosts *.our.com friend.other.com
# DenyHosts lowsecurity.theirs.com *.evil.org evil.org
# Umask 022
SilentDeny no
- - - - - - - - - - - - - - - - - - - - - -
NCMIR ssh_config file:
#
# NOTE: This file has been modified for NCMIR setup.
# If you are going to make any changes to this setup, sccs an editable
# copy from Proteus:/etc/ssh/ and then copy the new one to all our unix
# machines
#
# Modifications:
# 2-29-00 DSF Disable X11 forwarding (ForwardX11 no)
#
# This is ssh client systemwide configuration file. This file provides
# defaults for users, and the values can be changed in per-user configurati
on
# files or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
#
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
ForwardAgent yes
ForwardX11 no
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
TISAuthentication no
PasswordAuthentication yes
FallBackToRsh yes
UseRsh no
BatchMode no
StrictHostKeyChecking ask
IdentityFile ~/.ssh/identity
Port 22
Cipher idea
EscapeChar ~
- - - - - - - - - - - - - - - - - - - - - -
Startup sshd file:
#!/sbin/sh
#
# Start SSH server
#
case "$1" in
'start')
if test -x /usr/bin/sshd; then
echo "Starting SSH server daemons ..."
/usr/bin/sshd
fi
;;
'stop')
;;
esac
- Previous message: Neil Dickey: "Re: trojaned SSHD ?"
- Maybe in reply to: Karthik Krishnamurthy: "trojaned SSHD ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
