[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam in RedHat 4.2



I've installed RedHat 4.2 to server as a router/firewall between an
Office LAN and our NetServers LAN outside.

I used two NIC's and the ipfwadm tool.

Some time later I started getting this logs from user.* facility in
syslog:

Jan 21 01:02:04 gw2 syslog: pam_unix authentication session started,
user nobody, service su
Jan 21 01:02:53 gw2 syslog: pam_unix authentication session finished,
user nobody, service su
Jan 21 11:50:51 gw2 syslog: pam_unix authentication session started,
user root, service su
Jan 21 11:56:25 gw2 syslog: pam_unix authentication session finished,
user root, service su

I panicked. I imediately added /bin/false shells in every account left
with no shell in /etc/passwd (nobody, news, etc...)

And after this the logs started to be like this:

Jan 26 01:03:01 jupiter syslog: pam_unix authentication session
started, user news, service su
Jan 26 01:03:01 jupiter syslog: pam_unix authentication session
finished, user news, service su
Jan 26 01:03:02 jupiter syslog: pam_unix authentication session
started, user nobody, service su
Jan 26 01:03:02 jupiter syslog: pam_unix authentication session
finished, user nobody, service su

The bastard still gets authenticated but doesn't logs in because he
has no shell.

The curious thing is: The only daemons running on this machine are
sendmail, ssh and ftp!!

Anyway, i started fetching some documentation about this and found the
RedHat 4.2 Errata in
http://www.redhat.com/support/docs/rhl/rh42-errata-general.html.

quoting errata> Package: pam 
quoting errata> Updated: 01-Oct-1997 
quoting errata> 
quoting errata> Problem:
quoting errata> 
quoting errata> (08-Aug-1997) Security Fix: This release of pam fixes
quoting errata> a security hole related to the 'r' commands. This bug
quoting errata> is limited to users who have as the last entry of
quoting errata> their .rhosts a multi-homed machine; they could be
quoting errata> subject to having their account hacked from any
quoting errata> machine anywhere.
quoting errata> Users who are still using Red Hat 4.0 and 4.1 are
quoting errata> strongly encouraged to update to 4.2 and then install
quoting errata> this update. 
quoting errata> Solution:
quoting errata> 
quoting errata> Intel: Upgrade to pam-0.57-4.i386.rpm
quoting errata> 
quoting errata> Alpha: Upgrade to pam-0.57-4.alpha.rpm
quoting errata> 
quoting errata> SPARC: Upgrade to pam-0.57-4.sparc.rpm

I'm starting to make this recommended upgrade but before i do it, I
would like to test this bug a little more further.

Can you give me an explanation on how she broke in?
Where can I find some documentation about this?

Thanks,

Jose Monteiro



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []