Open SSH security issues...

Discussion in 'General Mac Discussion' started by Rower_CPU, Mar 8, 2002.

  1. Rower_CPU Moderator emeritus

    Rower_CPU

    Joined:
    Oct 5, 2001
    Location:
    San Diego, CA
    #1
    Just saw this on http://osx.macnn.com/:

    The OpenSSH group has has posted a patch for the SSH component included in Mac OS X 10.1.3 that fixes a potentially serious security flaw in the software. According to a Pine Internet Security report, users with an existing account can abuse this bug to gain root privileges. Additionally, a malicious SSH server could take advantage of the bug by exploiting a vulnerable connecting client. Pine rates the potential impact of the security hole to be 'high' if not patched.

    I took a look at the "patch". You have to go in and manually swap in the new code. Bleagh! I hope Apple creates their own patch soon, and releases it via SU.

    I really hope we don't start seeing a lot of this...I'm getting comfortable with the CLI, but I don't want to have to spend the majority of my time there to keep my system functional. :(
     
  2. evildead macrumors 65816

    evildead

    Joined:
    Jun 18, 2001
    Location:
    WestCost, USA
    #2
    are you using ssh?

    if your not using ssh... then turn it off. I bet that most mac ussers are not using it. From your post I see that it effects the ssh server. Just go into the configuation files in /etc (I think thats were they are. The are called ssh_config and sshd_config (the server) if its not under /etc then its under /usr/local/... something


    I'm at work right now at my PC (Yuck) So i cant look for the directory path right now. All you have to do is comment out a few things in those config files or you can just kill the process and trash the start up scipts. If you want help ... I can look for the startup scrips later. They will probably be in /etc/rc1.d or /etc/rc2.d or /etc/rc2.d just change the name of the file so it does not start with a "S" (capital S)
     
  3. Rower_CPU thread starter Moderator emeritus

    Rower_CPU

    Joined:
    Oct 5, 2001
    Location:
    San Diego, CA
    #3
    I run an OS X Server that uses SSH for file transfer and some occasional administration.

    I'll take look at those files and see what I can do. I've modified httpd.conf for Apache, so it shouldn't be too difficult.

    My reaction was more leaning toward the typical user's feelings. I know most Mac users enjoy laughing at PC users and their constant need to update their Swiss cheese OS. I know OS X comes with its share of "quirks" that come with its Unix background. I just hope Apple doesn't let this be an achilles heel.
     
  4. Rower_CPU thread starter Moderator emeritus

    Rower_CPU

    Joined:
    Oct 5, 2001
    Location:
    San Diego, CA
    #4
    Sorry to double post...

    evildead-
    Have you found out what lines need to be commented out/ changed?
    I looked at the sshd_config file and saw this line:
    PermitRootLogin yes
    Is that the one I should change, or is it something else?
    Thanks, I really appreciate it!
     
  5. evildead macrumors 65816

    evildead

    Joined:
    Jun 18, 2001
    Location:
    WestCost, USA
    #5
    yes

    that would be a good line to edit.

    change that to:

    PermitRootLogin no

    That will make it some root cannot log in with ssh. if you dont need to log in with as root with ssh... then dont leave it open.

    once you edit that file you will need to re-boot for ssh to read that config file and take effect.

    I cant seem to fined the startup scipts in OS X. Im used to Solaris and OS X is based on BSD... they do things a little diffrent in that blend of unix.
     

Share This Page