Re: OpenSSH can mess up Linux-PAM's pam_access
From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 05/27/05
- Previous message: Per Hedeland: "Re: OpenSSH ssh-keygen and non-empty passphrase"
- In reply to: Petr Pisar: "OpenSSH can mess up Linux-PAM's pam_access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 May 2005 07:05:12 GMT
On 2005-05-26, Petr Pisar <xpisar@fi.muni.cz> wrote:
> I have found out, that if attacker can fake forward and reverse DNS
> lookups, then pam_access can think the attacker is connected from
> somewhere else (e.g. from priviledge host).
[...]
> Proposed fix: sshd should always put rhost IP address to the PAM.
XSSO says that PAM_RHOST is "The remote host name." You can make sshd
use an IP address by setting "UseDNS no" in sshd_config.
> pam_access is vulnerable only if config file contains domain names. On
> the other hand configuration based on IP addresses is resistent.
The underlying problem is that the configuration is using an untrusted
source of data (ie DNS) for authentication decisions.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Previous message: Per Hedeland: "Re: OpenSSH ssh-keygen and non-empty passphrase"
- In reply to: Petr Pisar: "OpenSSH can mess up Linux-PAM's pam_access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
