From owner-doc-jp@jp.freebsd.org  Thu Jul 13 20:24:23 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id UAA98448;
	Thu, 13 Jul 2000 20:24:23 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO202.gate.nec.co.jp (TYO202.gate.nec.co.jp [202.247.6.41])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id UAA98443
	for <doc-jp@jp.freebsd.org>; Thu, 13 Jul 2000 20:24:22 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv4.nec.co.jp (mailsv4-le1 [192.168.1.93])
	by TYO202.gate.nec.co.jp (8.9.3/3.7W00052210) with ESMTP id UAA00243
	for <doc-jp@jp.freebsd.org>; Thu, 13 Jul 2000 20:24:22 +0900 (JST)
Received: from mmssv.mms.mt.nec.co.jp (mmssv.mms.mt.nec.co.jp [133.201.63.216]) by mailsv4.nec.co.jp (8.9.3/3.7W-MAILSV4-NEC) with ESMTP
	id UAA25817 for <doc-jp@jp.freebsd.org>; Thu, 13 Jul 2000 20:24:22 +0900 (JST)
Received: from koga.do.mms.mt.nec.co.jp (koga.do.mms.mt.nec.co.jp [10.16.5.16]) by mmssv.mms.mt.nec.co.jp (8.8.4+2.7Wbeta4/3.4W3MMS96052011) with ESMTP id UAA28197 for <doc-jp@jp.freebsd.org>; Thu, 13 Jul 2000 20:18:13 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by koga.do.mms.mt.nec.co.jp (8.10.2/3.7W-00052406) with ESMTP id e6DBOLR18988;
	Thu, 13 Jul 2000 20:24:21 +0900 (JST)
Message-Id: <200007131124.e6DBOLR18988@koga.do.mms.mt.nec.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000705231236.8B9D237BCFB@hub.freebsd.org>
References: <20000705231236.8B9D237BCFB@hub.freebsd.org>
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Thu, 13 Jul 2000 20:24:20 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 220
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7539
Subject: [doc-jp 7539] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:30.openssh
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

$B%i%9%H%9%Q!<%H!#(B

$B;D$j$O!"(B
FreeBSD-SA-00:31 [REVISED]
FreeBSD-SA-00:32
FreeBSD-SA-00:33

BEGIN------------------- $B$3$3$+$i(B ------------------------
 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:30.openssh
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed,  5 Jul 2000 16:12:36 -0700 (PDT)
  Message-Id: <20000705231236.8B9D237BCFB@hub.freebsd.org>
  X-Sequence: announce-jp 470

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-00:30                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	OpenSSH UseLogin directive permits remote root access

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	openssh
$B9pCNF|(B:		2000-07-05
$B%/%l%8%C%H(B:	Markus Friedl <markus@OpenBSD.org>
$B1F6AHO0O(B:	FreeBSD 4.0-RELEASE, $B=$@5F|0JA0$N(B FreeBSD 4.0-STABLE $B$*$h$S(B 5.0-CURRENT
$B=$@5F|(B:		2000-06-11
$B%Y%s%@$N%9%F!<%?%9(B:	$B<eE@$K$D$$$FH/I=:Q(B
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

OpenSSH is an implementation of the SSH1 (and SSH2 in later versions)
secure shell protocols for providing encrypted and authenticated
network access, which is available free for unrestricted use.

OpenSSH $B$O(B SSH1 secure shell protocol $B$N<BAu$G(B, $BDL?.$N0E9f2=$*$h$SG'>Z(B
$B5!G=$rDs6!$7$^$9(B ($B:G6a$N%P!<%8%g%s$G$O(B SSH2 $B$b<BAu$7$F$$$^$9(B). OpenSSH 
$B$O;HMQ$K$D$$$F@)8B$r$7$J$$$h$&(B, $B%U%j!<$GDs6!$5$l$F$$$^$9(B. 

II.  $BLdBj$N>\:Y(B - Problem Description

The sshd server is typically invoked as root so it can manage general
user logins. OpenSSH has a configuration option, not enabled by
default ("UseLogin") which specifies that user logins should be done
via the /usr/bin/login command instead of handled internally.

sshd $B%5!<%P$O(B, $B0lHL$N%f!<%6%m%0%$%s$r=hM}$9$k$3$H$,$G$-$k$h$&(B, $BDL>o(B 
root $B8"8B$G<B9T$5$l$F$$$^$9(B. OpenSSH $B$K$O(B, $B%f!<%6%m%0%$%s$r%5!<%PFbIt(B
$B$G=hM}$;$:(B, /usr/bin/login $B%3%^%s%I7PM3$G9T$&$h$&$K$9$k(B "UseLogin" $B$H(B
$B$$$&@_Dj%*%W%7%g%s$,$"$j$^$9(B. $B$3$N%*%W%7%g%s$O%G%U%)%k%H$G$OM-8z$K$O$J(B
$B$C$F$$$^$;$s(B. 

OpenSSH also has a facility to enable remote users to execute commands
on the server non-interactively. In this case, the UseLogin directive
fails to correctly drop root privileges before executing the command,
meaning that remote users without root access can execute commands on
the local system as root.

OpenSSH $B$K$O(B, $B%j%b!<%H$N%f!<%6$,%5!<%P>e$GHsBPOCE*$K%3%^%s%I$r<B9T$G$-(B
$B$k$h$&$K$9$k5!G=$b$"$j$^$9(B. $B$3$N>l9g(B, $B%3%^%s%I$r<B9T$9$kA0$K(B UseLogin 
$B;XDj;R$,@5$7$/(B root $B8"8B$rMn$H$9=hM}$r9T$J$$$^$;$s(B. $B$D$^$j(B, root $B8"8B(B
$B$r;}$?$J$$%j%b!<%H$N%f!<%6$,(B, $B%m!<%+%k%7%9%F%`>e$N%3%^%s%I$r(B root $B8"8B(B
$B$G<B9T$9$k$3$H$,2DG=$G$9(B. 

Note that with the default configuration, OpenSSH is not vulnerable to
this problem, and this option is not needed for the vast majority of
systems.

$B%G%U%)%k%H$N@_Dj$G$O(B, OpenSSH $B$K$O$3$NLdBj$K$h$k<eE@$,B8:_$7$J$$$3$H$K(B
$BCm0U$7$F$/$@$5$$(B. $B$3$N%*%W%7%g%s$O(B, $BBgB??t$N%7%9%F%`$GI,MW$N$J$$$b$N$G(B
$B$9(B. 

OpenSSH is installed if you chose to install the 'crypto' distribution
at install-time or when compiling from source, and you either have the
international RSA libraries or installed the RSAREF port.

OpenSSH $B$,%$%s%9%H!<%k$5$l$k$N$O(B, FreeBSD $B%7%9%F%`$N%$%s%9%H!<%k;~$K(B 
'crypto' $B%G%#%9%H%j%S%e!<%7%g%s$rA*Br$9$k$+(B, $B%=!<%9$+$i%3%s%Q%$%k$9$k(B
$B>l9g$G$O(B, $B9q:]HG(B RSA $B%i%$%V%i%j$rMQ0U$7$F$*$/$+(B, RSAREF $B$N(B port $B$r;vA0(B
$B$K%$%s%9%H!<%k$7$F$*$$$?>l9g$G$9(B. 

III. $B1F6AHO0O(B - Impact

If your sshd configuration was modified to enable the 'UseLogin'
directive then remote users with SSH access to the local machine can
execute arbitrary commands as root.

sshd $B$N@_Dj$G(B 'UseLogin' $B;XDj;R$rM-8z$K$7$?>l9g(B, $B%m!<%+%k%^%7%s$K(B SSH 
$B%"%/%;%92DG=$J%j%b!<%H$N%f!<%6$,(B, $BG$0U$N%3%^%s%I$r(B root $B8"8B$G<B9T$9$k(B
$B$3$H$,2DG=$G$9(B. 

IV.  $BBP1~:v(B - Workaround

Set 'UseLogin No' in your /etc/ssh/sshd_config file and restart the
SSH server by issuing the following command as root:

/etc/ssh/sshd_config $B%U%!%$%k$G(B 'UseLogin No' $B$r;XDj$7(B, $B0J2<$N%3%^%s%I(B
$B$r(B root $B$G<B9T$9$k$3$H$G(B SSH $B%5!<%P$r:F5/F0$9$k(B. 

# kill -HUP `cat /var/run/sshd.pid`

This will cause the parent process to respawn and reread its
configuration file, and should not interfere with existing SSH sessions.

$B$3$NA`:n$K$h$j(B, $B?F%W%m%;%9$O:F@8@.$5$l(B, $B@_Dj%U%!%$%k$rFI$_9~$_D>$7$^$9(B. 
$B$=$N:]$K(B, $B$9$G$K3NN)$5$l$F$$$k(B SSH $B%;%7%g%s$rK8$2$k$3$H$O$"$j$^$;$s(B. 

Note that a bug in sshd (discovered during preparation of this
advisory, fixed in FreeBSD 5.0-CURRENT and 4.0-STABLE as of
2000-07-03) means that it will fail to restart correctly unless it was
originally invoked with an absolute path (i.e. "/usr/sbin/sshd"
instead of "sshd"). Therefore you should verify that the server is
still running after you deliver the HUP signal:

$B:G=i$N5/F0$,@dBP%Q%9$G9T$J$o$l$F$$$J$$>l9g(B ($B$D$^$j(B "/usr/sbin/sshd" $B$H(B
$B$7$F$G$O$J$/(B, "sshd" $B$H$7$F<B9T$5$l$?>l9g(B), $B@5$7$/:F%9%?!<%H$G$-$J$$$H(B
$B$$$&%P%0$,(B sshd $B$KB8:_$9$k$3$H$KCm0U$,I,MW$G$9(B ($B$3$N%P%0$O(B, $B$3$N4+9p$r(B
$BMQ0U$7$F$$$k4V$KH/8+$5$l$^$7$?(B. 2000$BG/(B7$B7n(B3$BF|$N(B FreeBSD 5.0-CURRENT $B$H(B 
4.0-STABLE $B$G=$@5$5$l$F$$$^$9(B). 

# ps -p `cat /var/run/sshd.pid`
  PID  TT  STAT      TIME COMMAND
 2110  ??  Ss     0:00.97 /usr/sbin/sshd

If the server is no longer running, restart it by issuing the
following command as root:

$B%5!<%P%W%m%;%9$,B8:_$7$J$/$J$C$?>l9g(B, $B0J2<$N%3%^%s%I$r(B root $B$G<B9T$7$F(B
$B%5!<%P$r:F%9%?!<%H$5$;$F$/$@$5$$(B. 

# /usr/sbin/sshd

V.   $B=$@5=hCV(B - Solution

One of the following:

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$(B. 

1) Upgrade to FreeBSD 4.0-STABLE or 5.0-CURRENT after the correction
date. Note that these versions of FreeBSD contain a newer version of
OpenSSH than was in 4.0-RELEASE, version 2.1, which provides enhanced
functionality including support for the SSH2 protocol and DSA keys.

1) $B=$@5F|0J9_$N(B FreeBSD 4.0-STABLE $B$^$?$O(B 5.0-CURRENT $B$K%"%C%W%0%l!<%I(B
$B$9$k(B. FreeBSD $B$N$3$l$i$N%P!<%8%g%s$K$O(B 4.0-RELEASE $B$K4^$^$l$F$$$k$b$N(B
$B$h$j$b?7$7$$(B OpenSSH $B$N%P!<%8%g%s(B 2.1 $B$,4^$^$l$F$$$^$9(B. $B$3$N%P!<%8%g%s(B
$B$G$O(B, SSH2 $B%W%m%H%3%k$*$h$S(B DSA $B80$N%5%]!<%H$J$I$N5!G=6/2=$,$5$l$F$$$^(B
$B$9(B. 

2) Save this advisory as a file and extract the relevant patch for
your version of FreeBSD, or download the relevant patch and detached
PGP signature from the following location:

$BK\4+9p$r%U%!%$%k$KJ]B8$7(B, $B;HMQ$7$F$$$k(B FreeBSD $B%P!<%8%g%s$KE,9g$7$?%Q(B
$B%C%A$r<h$j=P$7$^$9(B. $B$"$k$$$O(B, $B0J2<$N(B URL $B$+$iE,9g$7$?%Q%C%A$H(B PGP $B=pL>(B
$B$r%@%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F=pL>$N8!>Z$r9T$J$$$^$9(B. 

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch.asc

Verify the detached signature using your PGP utility.

Issue the following commands as root:

$B0J2<$N%3%^%s%I$r(B root $B$G<B9T$7$^$9(B. 

# cd /usr/src/crypto/openssh
# patch -p < /path/to/patch/or/advisory
# cd /usr/src/secure/lib/libssh
# make all
# cd /usr/src/secure/usr.sbin/sshd
# make all install
# kill -HUP `cat /var/run/sshd.pid`

See the note in the "Workarounds" section about verifying that the
sshd server is still running.

$B!VBP1~:v!W$N>O$K5-=R$7$?Cm0U;v9`$r;2>H$7(B, sshd $B%5!<%P%W%m%;%9$,B8:_$7(B
$B$F$$$k$3$H$r3NG'$7$F$/$@$5$$(B. 

VI.   $B%Q%C%A(B - Patch

   Index: sshd.c
   ===================================================================
   RCS file: /home/ncvs/src/crypto/openssh/sshd.c,v
   retrieving revision 1.6
   diff -u -r1.6 sshd.c
   --- sshd.c	2000/03/09 14:52:31	1.6
   +++ sshd.c	2000/07/04 03:40:46
   @@ -2564,7 +2564,13 @@
    	char *argv[10];
    #ifdef LOGIN_CAP
    	login_cap_t *lc;
   +#endif
    
   +	/* login(1) is only called if we execute the login shell */
   +	if (options.use_login && command != NULL)
   +		options.use_login = 0;
   +
   +#ifdef LOGIN_CAP
    	lc = login_getpwclass(pw);
    	if (lc == NULL)
    		lc = login_getclassbyname(NULL, pw);

END--------------------- $B$3$3$^$G(B ------------------------
----
$B$3$,$h$&$$$A$m$&(B
