- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: ssh leaking information
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 02:20 AM
тАО05-08-2009 02:20 AM
Does anybody know how to stop the system printing "Your password was changed by root"?
If somebody is trying to hack their way into a server, say via ssh, by trying to find valid account names the above message gives the hacker the information he would be looking for - the account must exist.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 03:44 AM
тАО05-08-2009 03:44 AM
Re: ssh leaking information
This is I think, not particularly a function of ssh, but a function of the Pluggable Authentication Modules used by ssh, telnet, login etc...
I don't know ssh well enough to know whether there is a way of turning this off - I do however have a little "hack" that at least makes the information "less obvious", by changing the message catalogue used by the PAM modules...
cd /usr/lib/nls/msg/C/
cp -p /usr/lib/nls/msg/C/pam_comsec.cat /usr/lib/nls/msg/C/pam_comsec.cat.old
dumpmsg /usr/lib/nls/msg/C/pam_comsec.cat > pam_comsec.msg
**edit pam_comsec.msg and replace "Your password was changed by %s" with just some white space - I found that just removing the whole line doesn't work **
gencat /usr/lib/nls/msg/C/pam_comsec.cat.new pam_comsec.msg
cp pam_comsec.cat.new pam_comsec.cat
This at least obfuscates a little in that instead of:
----------
ssh user@myhost
Your password has been changed by root
Password:
----------
I now get:
----------
ssh user@myhost
Password:
----------
Although its not perfect cos during a normal login you would get
----------
ssh user@myhost
Password:
----------
Which is subtly different for a hacker (but maybe not for an auditor!) I only played with it quickly, so there may be some way of inserting an escape sequence in the pam_comsec.msg file prior to generating the new pam_comsec.cat file with gencat.
That worked OK for me - but then I haven't done more than 5 minutes testing and its *is* a hack...
HTH
Duncan
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 04:09 AM
тАО05-08-2009 04:09 AM
Re: ssh leaking information
It does work but that newline is still a bit of a giveaway (or at least will be in the auditors eyes - they don't let much go :-) ). I have been unable so far to stop it from printing the newline......
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 06:33 AM
тАО05-08-2009 06:33 AM
SolutionCan you tell us a little more about your configuration? Are you runninmg a trusted system? On my 11.11 workstation which is trusted I can reproduce your problem, but on my untrusted 11.31 systems I can't...
Assuming this is a trusted system, the other way to get around this is to remove the u_pwchanger=root entry from the tcb file for the user, so you never get the message. I guess this could be scripted reasonably easily... e.g. if I've changed the password for user oracle then I'd need to remove the u_pwchanger=root entry from the file /tcb/files/auth/o/oracle
This could be a manual process on password resets or I guess it could be scripted like something like this:
#!/sbin/sh
# mypwreset.sh
# $1 = user to reset
user=$1
passwd ${user}
sed s/:u_pwchanger=root//g /tcb/files/auth/$(echo ${user} | cut -c 1)/${user} > /tmp/${user}.$$
cp /tmp/${user}.$$ /tcb/files/auth/$(echo ${user} | cut -c 1)/${user}
rm -f /tmp/${user}.$$
so that's quick and dirty and there's much more to think about - but I'm sure you get the gist...
HTH
Duncan
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 06:43 AM
тАО05-08-2009 06:43 AM
Re: ssh leaking information
All our systems are trusted (11.31).
Your second solution is probably best, we can just change our procedures for passwd resets (at least the procedure the auditor see's anyway!).
It would be easier if u_pwchanger was editable via modprpw, but I can understand why it's not.
thanks for your help!
Richard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2009 07:18 AM
тАО05-08-2009 07:18 AM
Re: ssh leaking information
One final point - I assume you are aware of the "deprecated" nature of trusted mode on 11iv3 (i.e. supported, but won't be in the next release) - you should at least be thinking about adopting standard mode security extensions instead:
http://docs.hp.com/en/5992-3387/ch04s01.html
HTH
Duncan
I am an HPE Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-11-2009 10:19 PM
тАО05-11-2009 10:19 PM