Bug 222777

Comment 1 Pierre-Yves Rofes (RETIRED) 2008-05-19 08:52:03 UTC

this is not a vulnerability, reassigning to maintainers.

Please paste the output from `emerge -pv openssh`. If you have not compiled openssh with the `tcpd' USE-flag then this will be cause of the problem.

emerge -av openssh

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] net-misc/openssh-4.7_p1-r6  USE="pam tcpd -X -X509 -chroot -hpn -kerberos -ldap -libedit (-selinux) -skey -smartcard -static" 0 kB 

Total: 1 package (1 reinstall), Size of downloads: 0 kB

(I re-emerged it anyway)
/etc/init.d/sshd stop
/etc/init.d/sshd start

May 19 19:42:05 my-host sshd[25288]: Server listening on :: port 22.
                                                                                                 May 19 19:42:05 my-host sshd[25288]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.                                                                
(don't know what's up there, I verified nothing was listening before starting it and sshd was listening after starting it with netstat-l and telnet localhost 22)

(remotely)
ssh aqwert@my-host.com
(fail the password 3 times - no actual account by that name anyway)

May 19 19:48:45 my-host sshd[26698]: Invalid user aqwert from remote-IP
May 19 19:48:47 my-host sshd[26701]: pam_unix(sshd:auth): check pass; user unknown
May 19 19:48:47 my-host sshd[26701]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote-host 
May 19 19:48:49 my-host sshd[26698]: error: PAM: Authentication failure for illegal user aqwert from remote-host
May 19 19:48:49 my-host sshd[26698]: Failed keyboard-interactive/pam for invalid user aqwert from remote-IP port 52361 ssh2
May 19 19:48:50 my-host sshd[26703]: pam_unix(sshd:auth): check pass; user unknown
May 19 19:48:50 my-host sshd[26703]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote-host
May 19 19:48:52 my-host sshd[26698]: error: PAM: Authentication failure for illegal user aqwert from remote-host
May 19 19:48:52 my-host sshd[26698]: Failed keyboard-interactive/pam for invalid user aqwert from remote-IP port 52361 ssh2
May 19 19:48:53 my-host sshd[26705]: pam_unix(sshd:auth): check pass; user unknown
May 19 19:48:53 my-host sshd[26705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote-host
May 19 19:48:55 my-host sshd[26698]: error: PAM: Authentication failure for illegal user aqwert from remote-host
May 19 19:48:55 my-host sshd[26698]: Failed keyboard-interactive/pam for invalid user aqwert from remote-IP port 52361 ssh2

ssh bqwert@my-host.com
(fail the password 3 times - no actual account by that name anyway)

(All of the above messages repeated plus:)
May 19 19:55:25 my-host denyhosts: Added the following hosts to /etc/hosts.deny - remote-IP (remote-host)
May 19 19:55:25 my-host denyhosts: Added the following hosts to /etc/hosts.deny - remote-host

(confirmed the following entries in /etc/hosts.deny)
ALL: remote-IP
ALL: remote-host

ssh cqwert@my-host.com
(get a password prompt instead of a connection refused)
(fail the password 3 times - no actual account by that name anyway)
(all of the messages from the first failure)

ssh valid-user@my-host.com
(correct password and successful login)
May 19 19:59:07 my-host sshd[28189]: Accepted keyboard-interactive/pam for valid-user from remote-IP port 53339 ssh2                                                    
May 19 19:59:07 my-host sshd[28193]: pam_unix(sshd:session): session opened for user valid-user by (uid=0)                                                                  

---------------------------------------------------------------------------
emerge --info:
Portage 2.1.4.4 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23.17-linode43 i686)
=================================================================
System uname: 2.6.23.17-linode43 i686 UML
Timestamp of tree: Mon, 19 May 2008 09:16:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/qmail/alias /var/qmail/control /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect cvs distlocks maketest metadata-transfer nostrip parallel-fetch sandbox sfperms splitdebug strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LINGUAS="en en_GB"
MAKEOPTS="-j 2"
PKGDIR="/share/built-packages"
PORTAGE_RSYNC_EXTRA_OPTS="--timeout=45"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="3dnow apache2 bash-completion bzlib crypt doc imap java libwww maildir mmx mysql nls nptl nptlonly pam php readline sse ssl tcltk tcpd unicode vhosts x86 xml xml2 zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1       emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m       maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authz_host dir mime alias asis auth_basic authn_alias authn_anon authn_default authn_file authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd dir dumpio env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mime mime_magic negotiation proxy proxy_ajp proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt         mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage      siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware         voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTDIR_OVERLAY

Ok, this is getting brutal.  I had to do something so I changed /etc/denyhosts.conf to have the following line:

PLUGIN_DENY=/root/denyhosts.sh

And in that file I put:

iptables --append INPUT --protocol tcp --source ${1} --destination-port 22 --jump DROP

Which is working but not ideal as now my tables are getting huge.  I may have to create a new table just for NEW connections to port 22 and list them all in there.  It still isn't good in terms of kernel memory though.

PS.  I would consider this as a security issue although not an exploit.  But those 'tards are trying like hell to exploit it.

This seems to be a problem (unresolved) in the forums too.
http://forums.gentoo.org/viewtopic-p-5099314.html

The solution is here:
http://forums.gentoo.org/viewtopic-p-4146699.html#4146699

That brings up an interesting issue but I'm guessing that the problem is in the sshd daemon but can't be positive without digging into the code to see if it uses a library (tcp-wrappers) to read /etc/hosts.deny or parses it internally.

The problem will persist for those using a dynamic IP address who cannot uncomment the listen line in /etc/ssh/sshd_config and add a real IP address though.  So I'm not going to close the bug until this gets some more experienced developers to chime in.  The hosts.deny file is ignored by sshd regardless of the format:
sshd: IP-addr
ALL: IP-addr
and with hostnames too.  :/

Sorry for the bug spam guys.

This is a linode  (www.linode.com) VM and although IPv6 is disabled in the tcp-wrappers it is enabled in the kernel as I have no control over that.

[ebuild   R   ] sys-apps/tcp-wrappers-7.6-r8  USE="-ipv6" 0 kB                                                                                                                  
[ebuild   R   ] net-misc/openssh-4.7_p1-r6  USE="pam tcpd -X -X509 -chroot -hpn -kerberos -ldap -libedit (-selinux) -skey -smartcard -static" 0 kB                              

Many people smarter than I suggested that the problem is it is coming in as an IPv6 packet and getting translated to an IPv4 packet for the wrapper libs and that is where things are getting confused.  This may very well be the problem and a test was proposed to rebuild everything with IPv6 enabled and test it again.  I don't really have that option (everything has -ipv6 in package.use) as I've explained but it sounds reasonable.  Anyway, the solution of adding a ListenAddress to /etc/ssh/sshd_config has solved the problem for now.  

Comment 8 SpanKY 2008-05-31 07:00:56 UTC

i dont think you need to rebuild everything ... just tcp-wrappers