SSH Security Hole
Posted Thu, 26 Jan 2023 12:51:32 CST. Download PGP signature.
On 2023-01-25, ~yosh emailed me about a security hole with SSH authentication. Before that day, anyone could gain SSH shell access as any LDAP user with a blank or invalid password. This didn't affect any other service, including sudo or passwd, so it wasn't possible to gain access to any other service except an SSH shell. As far as I know, this issue didn't affect plain UNIX users in /etc/passwd, and I have no reason to believe this was ever actually abused. The misconfiguration occured with PAM and OpenSSH. Despite PasswordAuthentication being disabled in OpenSSH, KbdInteractiveAuthentication was still enabled by default allowing PAM to display a login prompt for a password; modifying the PAM and OpenSSH configuration fixed the password validation error and also disabled plaintext authentication for good. Since passwords are stored hashed in LDAP with proper authentication required to view the hash, I don't believe any password hashes were accessed. Root access was not possible directly, and I think a targeted attack was unlikely. WTMP logs show no unusual logins, SSH logs indicate that root login was disabled and common automated botnet scanning only attempts password and not keyboard interactive auth (usually with invalid users as well). In any case, I would reccomend that you update your password or at the very least change it to the same one if you haven't in the past month or so. New users or users that changed their password after December 2022 should have passwords hashed with ARGON2ID, otherwise PBKDF2-SHA512 with 10000 iterations. I'm sorry this wasn't noticed earlier. In any case, it seems other systems were properly configured, and I've learned PAM is a beast that you should probably avoid messing with too much lest confusing security holes rear their head. ~ Kayden