Created attachment 278369 [details] Pam configuration and sshd configuration I have a gentoo vps running openssh 5.8 p2 with kernel 2.6.39-r2 (gentoo-sources). Pam version: 1.1.3-r1 The system was updated just today, no chances of stale software. The problem is, any valid user is able to login with any password (not only the password set for him), any random password like 555 or 11 or anything. The logs say, authentication failed, session opened: Jun 27 22:22:43 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=random56l123 Jun 27 22:22:44 [sshd] Accepted keyboard-interactive/pam for random56l123 from 121.246.205.20 port 33864 ssh2 Jun 27 22:22:44 [sshd] pam_unix(sshd:session): session opened for user random56l123 by (uid=0) Jun 27 22:23:31 [sshd] Received disconnect from xxx.xxx.xxx.xxx: 11: disconnected by user Jun 27 22:23:31 [sshd] pam_unix(sshd:session): session closed for user random56l123 * random56l123 is a valid user with a proper password * I initially suspected sshd being hacked as suggested by some on #gentoo, remerging (after deleting the old distfiles) didn't help. I have checked /etc/pam.d/sshd, which includes system-remote-login which ultimately includes system-login, it has been attached. Openssh configuration is attached too.
I can not reproduce this with the software versions you have mentioned. PAM guys: Anything you can add here?
@Alex, have you verified that the configuration I posted is correct? I don't find any fault with those, because it is the same as the configuration found on my local system. Further more, I even ran a rootkit scan using rkhunter & chkrootkit, and found nothing. This is getting really weird. I'm going as far as possible to avoid a format-and-reinstall, which is the ultimate thing to do.
@Nilesh: please attach the following: 1. emerge --info 2. tarball of all of /etc/pam.d/ 3. ps -ef |grep sshd 4. pidof /usr/sbin/sshd 5. pgrep -f /usr/sbin/sshd 6. lsof -n |grep sshd Also, I assume you did restart sshd after re-emerging it? I can't reproduce either here.
Created attachment 278589 [details] emerge --info
Created attachment 278591 [details] tarball of /etc/pam.d
localhost ~ # ps -ef | grep sshd root 1330 1 0 01:26 ? 00:00:00 sshd: root@pts/0 root 10712 1 0 01:33 ? 00:00:00 /usr/sbin/sshd root 10772 1332 0 01:41 pts/0 00:00:00 grep --colour=auto sshd localhost ~ # ----------------------- localhost ~ # pidof /usr/sbin/sshd 10712 localhost ~ # ----------------------- localhost ~ # pgrep -f /usr/sbin/sshd 10712 localhost ~ # -----------------------
Created attachment 278593 [details] Output of lsof -n | grep sshd
And Yeah, I did reload sshd (also tried a restart), because emerge gave me a notice.
Your pam.d/system-auth is CRITICALLY insecure. You have: auth sufficient pam_unix.so try_first_pass likeauth nullok It should be: auth required pam_unix.so try_first_pass likeauth nullok Where did you get this pam.d/system-auth file? ALL pam_unix linues should be 'required', not 'sufficient', unless you have another 'required' line after them.
Whoa! And that solved the problem, so it was basically a configuration issue damn. I'm sorry for the trouble caused to you guys. I think this was caused because of me installing pam_mysql, modifying that file and then forgetting to update it when I removed pam_mysql. ^_^ Thanks a ton! You saved my time and effort to reinstall the whole system.
If you ever had that system on the internet, you should reinstall anyways - I see ssh brute forces all the time - and every scriptkiddy could have fixed the logs to look clean. Just my 2ct.
(In reply to comment #11) > If you ever had that system on the internet, you should reinstall anyways - I > see ssh brute forces all the time - and every scriptkiddy could have fixed the > logs to look clean. > > Just my 2ct. Thankfully my root account was protected, because I use a very strong password (generated by ranpwd) and I allow only pubkey logins to root account.