Bug 758

Summary: if authorized keys exchanged, regular user can gain
Product: Portable OpenSSH Reporter: Curtis Maurand <curtis>
Component: sshAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED INVALID    
Severity: security    
Priority: P2    
Version: 3.6.1p2   
Hardware: ix86   
OS: Linux   
URL: http://www.mainelinesys.com

Description Curtis Maurand 2003-11-13 15:29:58 AEDT 
If an authorized key (~/.ssh/authorized_keys2) for root on one machine has been exchanged to 
another machine and a normal user issues, from the first machine, ssh -l root machine2, The 
normal user on machine one will be logged in as root on machine2. 
 
Steps to recreate: 
On Machine #1: 
1. 	Make yourself root 
2.	ssh-keygen -b 2048 -t dsa 
3.	scp .ssh/id_dsa.pub root@machine2:/root (you must enter a password at this point) 
4.	exit the root shell to normal shell 
 
On Machine #2: 
1.	Make yourself root 
2.	cat id_dsa.pub >>.ssh/authorized_keys2 
3.	logout 
 
On Machine #1: 
(note, you should be a normal user now.) 
1.	ssh -l root machine2 
2.  	You are now logged into machine #2 as root without entering a password. 
 
Thought you should know this.  I tested between 2 RedHat 9.0 machines.
Comment 1 Darren Tucker 2003-11-13 15:45:04 AEDT 
Please attach (note: use "create attachment", don't paste into a comment) the 
output of "ssh -vvv -l root machine2" from your last step.

Also, is your ssh program setuid root?  Can you reproduce with the current 
version (3.7.1p2)?
Comment 2 Ben Lindstrom 2003-11-13 17:40:27 AEDT 
I can't reproduce this on any platform I own.

$ echo ~/
/home/mouring/
$ id
uid=1001(mouring) gid=1001(mouring) groups=1001(mouring), 0(wheel), 1000(cvs)
$ su
Password:
# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):

Check your ~user/.ssh/ vs check your ~root/.ssh/

ssh being setuid or not will not make a bit of difference because such a case is
already handled by ssh.c:main().

- Ben
Comment 3 Jason McCormick 2003-11-13 17:59:01 AEDT 
I can't reproduce this on Linux (Redhat 9, Fedora Core1 and Gentoo) at all:

jason@sith jason $ pwd
/home/jason
jason@sith jason $ id
uid=500(jason) gid=100(users) groups=100(users),10(wheel)
jason@sith jason $ su -
Password:
sith root # cd .ssh/
sith .ssh # ls
known_hosts
sith .ssh # ssh-keygen -b 2048 -t dsa
sith .ssh # ls
id_dsa  id_dsa.pub  known_hosts
sith .ssh # scp id_dsa.pub root@banshee:/root
root@banshee's password:
id_dsa.pub                                    100% 1111     0.0KB/s   00:00
sith .ssh # exit



[root@banshee root]# ls
anaconda-ks.cfg  id_dsa.pub  install.log  install.log.syslog  mail  sslcert
[root@banshee root]# cat id_dsa.pub >> .ssh/authorized_keys2
[root@banshee root]#


jason@sith jason $ ssh root@banshee
root@banshee's password:
Last login: Thu Nov 13 19:45:03 2003 from sith.devrandom.org
[root@banshee root]#


Are you sure you're not somehow still logged in as root or have root's key
somehow stored in your SSH Agent?
Comment 4 Darren Tucker 2003-12-23 00:24:09 AEDT 
No followup = closed bug.
Comment 5 Damien Miller 2004-04-14 12:24:20 AEST 
Mass change of RESOLVED bugs to CLOSED