-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 SSH Security Hole On 2023-01-25, ~yosh emailed me about a security hole with SSH authentication. Before that day, anyone could gain SSH shell access as any LDAP user with a blank or invalid password. This didn't affect any other service, including sudo or passwd, so it wasn't possible to gain access to any other service except an SSH shell. As far as I know, this issue didn't affect plain UNIX users in /etc/passwd, and I have no reason to believe this was ever actually abused. The misconfiguration occured with PAM and OpenSSH. Despite PasswordAuthentication being disabled in OpenSSH, KbdInteractiveAuthentication was still enabled by default allowing PAM to display a login prompt for a password; modifying the PAM and OpenSSH configuration fixed the password validation error and also disabled plaintext authentication for good. Since passwords are stored hashed in LDAP with proper authentication required to view the hash, I don't believe any password hashes were accessed. Root access was not possible directly, and I think a targeted attack was unlikely. WTMP logs show no unusual logins, SSH logs indicate that root login was disabled and common automated botnet scanning only attempts password and not keyboard interactive auth (usually with invalid users as well). In any case, I would reccomend that you update your password or at the very least change it to the same one if you haven't in the past month or so. New users or users that changed their password after December 2022 should have passwords hashed with ARGON2ID, otherwise PBKDF2-SHA512 with 10000 iterations. I'm sorry this wasn't noticed earlier. In any case, it seems other systems were properly configured, and I've learned PAM is a beast that you should probably avoid messing with too much lest confusing security holes rear their head. ~ Kayden -----BEGIN PGP SIGNATURE----- iIUEARYKAC0WIQRno5Q3hhi3LrTVzGmw6+EXSbmTZwUCY9LLZA8cYWxwaGFAdW5p eC5kb2cACgkQsOvhF0m5k2cGBwD/VCJf+pfFr3YrUYDhYArLK24Etf21aiawsjga w6nymhUBAMiNpL0hCsk1ygex8TEa1BkF2ttBlqwwiw48jI2WX8AG =Ij65 -----END PGP SIGNATURE-----