[ale] OpenSSH root vulnerability

Glenn C. Lasher Jr. glasher at nycap.rr.com
Mon Mar 11 07:16:57 EST 2002



HELP!!!!

I did the upgrade to all of my servers, and now they won't let me log in!

I do have physical access to them to log in on consoles, and log in via
telnet from behind the firewall only, but I can't get any system to
recognize 100%
tried-no-less-than-twenty-times-to-do-this-and-then-did-it-in-one-shot-using-non-secure-methods
passwords and logins, and SSH insists that the passwords are invalid.
Please help!


On Sun, 10 Mar 2002, John Mills wrote:

> Mr. Pizza -
>
> On Fri, 8 Mar 2002, Stuffed Crust wrote:
>
> > On Fri, Mar 08, 2002 at 12:42:23PM -0500, John Mills wrote:
> [Tale of woe building openssh-3.1p1 from source tarball]
>
> > So, you need to upgrade to a newer versiopn of openssl.
> > I built openssl 0.9.6b and openssh 3.1; RH 6.2 RPMs are at:
>
> Thanks - I have generally had better luck building these from sources,
> rather than installing the RH rpms, and I had already downloaded
> 'opesnssl-0.9.6c'
>
> I did get a few more flesh-wounds in the process, which I'll list here in
> case it is helpful.
>
> I had no problem configuring, building, or installing openssl-0.9.6c,
> except the usual quibble that the package expects you to configure and
> build in the source tree. However, I couldn't get 'openssh-3.1p1' to
> configure succesfully after that. Instead, I flailed around reconfiguring
> until:
>
> 1) Configured openssl-0.9.6c with '--prefix=/usr/local' and
> '--openssldir=/usr/local/openssl' <-- This seemed unneeded, but without
> it, 'openssh-3.1p1/configure' couldn't "#include <openssl/rand.h>"
>
> 2) Linked the new 'libssl.*' and 'libcrypto*' into /usr/lib, where they
> replaced older links to 'openssl-0.9.5' libs.
>
> 3) Now I was able to configure openssh-3.1p1 with the corresponding
> '--with-ssl-dir=/usr/local/openssl' (as well as "--with-tcpwrappers
> --with-pam, --with-md5-passwords" _ENOUGH_ARREADY_!!) , and built without
> [further] incident.
>
> In order to run the new package, I had to remove the old ssh* utils, as
> the were in a different and earlier PATH branch than the new versions,
> then I removed their old support files from '/usr/local/ssl/etc', _reran_
> 'make install' &8-P), did 'make host-key', and it seemed I was good to go.
>
> Did a little patching on '/etc/rc.d/init.d/sshd', and restarted sshd.
>
> First login from another box asked me to OK a new key, which I took as
> confirming a successful installation.
>
> Maybe this would have been simpler, thanks:
>
> > ftp://ftp.shaftnet.org/pub/rpms/redhat-6.2/i386
>
> > openssh-3.1p1-1.i386.rpm
> > openssh-askpass-3.1p1-1.i386.rpm
> > openssh-askpass-gnome-3.1p1-1.i386.rpm
> > openssh-clients-3.1p1-1.i386.rpm
> > openssh-server-3.1p1-1.i386.rpm
> > openssl095a-0.9.5a-11.i386.rpm
> > openssl-0.9.6b-8.i386.rpm
> > openssl-devel-0.9.6b-8.i386.rpm
> > openssl-perl-0.9.6b-8.i386.rpm
>
>  - John Mills
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
>

glasher at nycap.rr.com
You've been programmed by the Illuminati not to see the word "".


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list