Hutch: /* Workaround */

Hutch — Wed, 19 Mar 2008 21:16:17 GMT

Workaround

←Older revision		Revision as of 21:16, 19 March 2008
Line 53:		Line 53:
	- don't leak whether root password is right if root isn't allowed (#141642)		- don't leak whether root password is right if root isn't allowed (#141642)

-	# yum install openssh	+	# '''yum install openssh'''
	...		...
	I will do the following:		I will do the following:

Hutch at 21:15, 19 March 2008

Hutch — Wed, 19 Mar 2008 21:15:45 GMT

←Older revision		Revision as of 21:15, 19 March 2008
Line 3:		Line 3:
	$ '''cat /etc/redhat-release'''		$ '''cat /etc/redhat-release'''
	Red Hat Enterprise Linux AS release 3 (Taroon Update 4)		Red Hat Enterprise Linux AS release 3 (Taroon Update 4)
-		+
	$ '''rpm -q openssh'''		$ '''rpm -q openssh'''
	openssh-3.6.1p2-33.30.3		openssh-3.6.1p2-33.30.3

Hutch at 21:15, 19 March 2008

Hutch — Wed, 19 Mar 2008 21:15:36 GMT

←Older revision		Revision as of 21:15, 19 March 2008
Line 1:		Line 1:
-	[https://bugzilla.redhat.com/show_bug.cgi?id=124602]	+	[https://bugzilla.redhat.com/show_bug.cgi?id=124602 Bugzilla Bug 124602: OpenSSH does not allow users to change expired passwords when privsep is used]

	$ '''cat /etc/redhat-release'''		$ '''cat /etc/redhat-release'''

Hutch: New page: [https://bugzilla.redhat.com/show_bug.cgi?id=124602] $ '''cat /etc/redhat-release''' Red Hat Enterprise Linux AS release 3 (Taroon Update 4) $ '''rpm -q openssh''' openssh-3.6.1p2-33...

Hutch — Wed, 19 Mar 2008 21:15:06 GMT

New page: [https://bugzilla.redhat.com/show_bug.cgi?id=124602] $ '''cat /etc/redhat-release''' Red Hat Enterprise Linux AS release 3 (Taroon Update 4) $ '''rpm -q openssh''' openssh-3.6.1p2-33...

New page

[https://bugzilla.redhat.com/show_bug.cgi?id=124602]

$ '''cat /etc/redhat-release'''
Red Hat Enterprise Linux AS release 3 (Taroon Update 4)

$ '''rpm -q openssh'''
openssh-3.6.1p2-33.30.3

I attempt to login as a user with an expired password using ssh.

=== If privilege separation is enabled ===

If privilege separation is enabled, I receive the following error.

You are required to change your password immediately (password aged)
Your password has expired, the session cannot proceed.

=== If privilege separation is disabled ===

If privilege separation is disabled, I receive the following error.

From a remote system:

$ '''ssh hutchib@''host'''''
Password:
dispatch_protocol_error: type 60 seq 12
Disconnecting: Bad packet length 1158809210.

From the local system:

$ '''ssh hutchib@localhost'''
Password:
Warning: Your password has expired, please change it now.
9ea7 c5ec 6dc5 65ca debc beb7 7a68 0f0a

Disconnecting: Bad packet length 2661795308.

=== Workaround ===

Note that even after installing the latest OpenSSH package, privilege separation must be enabled in order to login with an expired account.

$ '''rpm -qp openssh-3.6.1p2-33.30.14.i386.rpm --changelog'''
...
* Wed Feb 02 2005 Tomas Mraz <tmraz@redhat.com> 3.6.1p2-33.30.4

- CAN-2004-0175 (#120147) don't allow scp to overwrite files
in other directories
- don't log in sigalarm handler - it can deadlock (#145001)

* Tue Feb 01 2005 Tomas Mraz <tmraz@redhat.com>

- '''allow changing expired passwords when privilege separation is on (#124602)'''
- don't leak whether root password is right if root isn't allowed (#141642)

# yum install openssh
...
I will do the following:
[update: openssh 3.6.1p2-33.30.14.i386]
I will install/upgrade these to satisfy the dependencies:
[deps: openssh-server 3.6.1p2-33.30.14.i386]
[deps: openssh-clients 3.6.1p2-33.30.14.i386]
[deps: openssh-askpass 3.6.1p2-33.30.14.i386]
Is this ok [y/N]: '''y'''

With privilege separation disabled:

$ '''ssh hutchib@''host'''''
Password:
Warning: Your password has expired, please change it now.
Disconnecting: Bad packet length 2062459566.

With privilege separation enabled:

$ '''ssh hutchib@''host'''''
You must change your password now and login again!
Changing password for user hutchib.
Changing password for hutchib
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Connection to ''host'' closed.

Red Hat Bug 124602 In Action - Revision history

Hutch: /* Workaround */

Hutch at 21:15, 19 March 2008

Hutch at 21:15, 19 March 2008

Hutch: New page: [https://bugzilla.redhat.com/show_bug.cgi?id=124602] $ '''cat /etc/redhat-release''' Red Hat Enterprise Linux AS release 3 (Taroon Update 4) $ '''rpm -q openssh''' openssh-3.6.1p2-33...