I have tested and confirmed this problem on RedHat 6.2 with SSH 3.0.0
installed. The majority of accounts are properly locked out, but the
optional user 'postgres' by default has a password '!!' and is assigned the
shell '/bin/bash'.

The impact of this problem could have been reduced if an appropriate shell,
such as /bin/false, had been assigned. This was not listed in the advisory
as a possible workaround, probably because it does not prevent
authentication as the target account. While I was unable to exec an
alternate shell for an account with /bin/false as its default (ssh appears
to check for this), someone else might find a way.

I contacted RedHat about assigning shells to system accounts in June 2000
(http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=12409), but they
elected not to fix the problem.

Another possible workaround is the PermitEmptyPasswords directive in
sshd2_config. When set to "no", I was unable to login under the affected
account.

[rootshiva /root]# cat /etc/shadow | grep "postgres"
postgres:!!:11515:0:99999:7:::
[rootshiva /root]# ssh -l postgres localhost
postgres's password: <Null Password Entered>
Authentication successful.
Last login: Sat Jul 21 2001 09:09:21 -0700 from localhost
bash$ logout
Connection to localhost closed.
[rootshiva /root]# cat /etc/passwd | grep postgres
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
[rootshiva /root]# chsh -s /bin/false postgres
Changing shell for postgres.
Warning: "/bin/false" is not listed in /etc/shells
Shell changed.
[rootshiva /root]# cat /etc/passwd | grep postgres
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/false
[rootshiva /root]# ssh -l postgres localhost
postgres's password: <Null Password Entered>
Authentication successful.
Last login: Sat Jul 21 2001 09:11:01 -0700 from localhost
Connection to localhost closed.
[rootshiva /root]#

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]