[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: sshd and pop/ftponly users incorrect configuration
On Wed, Jan 26, 2000 at 07:55:48PM -0800, Gregory Steuck wrote:
> >>>>> "Marc" == Marc SCHAEFER <email@example.com> writes:
> Marc> EXPLOIT Please do not request exploit from the listed
> Marc> authors. Requests for exploits will be ignored. A working
> Marc> exploit exists and has been tested on current Linux
> Marc> distributions. It is possible that an exploit be posted some
> Marc> time in the future (or that someone reads this and does it by
> Marc> himself ...).
> Lemme guess... I adjust my ssh client to request a local port forwarding
> as soon as possible and this way there's a race between fake shell
> (/bin/false) termination and connection establishment. And sshd waits
> for that connection to terminate. Or can I simply request a connection
> forwarding before I request a pty?
no, the race is between the fork() and the termination of the child.
port-fwding can be requested only after the 'shell' is forked.
if the 'shell' is slow you can 'exploit' this behaviour.
the recommended way to 'fix' this is to create a group and add 'DenyGroup bla'
to sshd_config or give no passwords to the users.