#639330 openssh-server doesn't check if user's shell is listed in /etc/shells

Package:
openssh-server
Source:
openssh
Description:
secure shell (SSH) server, for secure access from remote machines
Submitter:
Lubomir Host
Date:
2011-08-26 00:48:05 UTC
Severity:
important
#639330#5
Date:
2011-08-26 00:39:03 UTC
From:
To:
openssh-server doesn't check if user's shell is listed in /etc/shells.
This is a potencional security hole. If somebody removes user's shell
from  /etc/passwd, sshd permits login to the user with shell /bin/sh.

This is an insecure behaviour of openssh on Debian. Others systems may be
affected too.


# ssh -l rajo localhost
rajo@localhost's password:
Last login: Fri Aug 26 02:28:05 2011 from localhost
$ id
uid=1000(rajo) gid=1000(rajo) groups=1000(rajo)
$ getent passwd rajo
rajo:x:1000:1000:Lubomir Host,,,:/home/rajo:
$ ps
  PID TTY          TIME CMD
 5243 pts/8    00:00:00 sh
 5372 pts/8    00:00:00 ps


FIX: add the following line to /etc/pam.d/common-auth

# Check /etc/shells on login
account       required   pam_shells.so

Check the system:
# ssh -l rajo localhost -p 22
rajo@localhost's password:
Connection closed by 127.0.0.1

This is a correct (secure) behaviour.

Best regards,
Lubomir Host