Re: sshd and pop/ftponly users incorrect configuration

[Markus Friedl <markus.friedl@informatik.uni-erlangen.de>]

On Wed, Jan 26, 2000 at 07:55:48PM -0800, Gregory Steuck wrote:
> >>>>> "Marc" == Marc SCHAEFER <schaefer@alphanet.ch> writes:
> 
>     Marc> EXPLOIT Please do not request exploit from the listed
>     Marc> authors. Requests for exploits will be ignored. A working
>     Marc> exploit exists and has been tested on current Linux
>     Marc> distributions. It is possible that an exploit be posted some
>     Marc> time in the future (or that someone reads this and does it by
>     Marc> himself ...).
> 
> Lemme guess... I adjust my ssh client to request a local port forwarding
> as soon as possible and this way there's a race between fake shell
> (/bin/false) termination and connection establishment. And sshd waits
> for that connection to terminate. Or can I simply request a connection
> forwarding before I request a pty?

no, the race is between the fork() and the termination of the child.
port-fwding can be requested only after the 'shell' is forked.
if the 'shell' is slow you can 'exploit' this behaviour.

the recommended way to 'fix' this is to create a group and add 'DenyGroup bla'
to sshd_config or give no passwords to the users.

-markus