-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GSI-OpenSSH Security Advisory: implicitlogin.adv

Original issue date: July 13, 2004
Last revised: July 13, 2004

The latest revision of the advisory can be found at
<http://grid.ncsa.uiuc.edu/ssh/implicitlogin.adv>.

Software Affected:

  GSI-enabled OpenSSH version 3.3 and earlier, as well as NCSA GSI
  OpenSSH patch versions openssh-3.8.1p1-20040629 and earlier, contain
  a server authentication logic error.

  A server exploit has been demonstrated for GSI-enabled OpenSSH
  version 3.0 and the corresponding openssh-3.7.1p2-20040119 patch.
  While an exploit has not been demonstrated for other versions, we
  strongly recommend upgrading any running servers containing the
  logic error.

  The vulnerability is in NCSA's modification to OpenSSH for support
  of GSI authentication and is not contained in the standard OpenSSH
  distribution.

Impact:

  A remote attacker, with valid GSI credentials issued by a trusted
  Certificate Authority, mapped via the local grid-mapfile to an
  account with SSH logins disabled, can login to any system account.

  Exploits of this vulnerability will log the following messages to
  syslog(3):

       User <username> not allowed because <reason>
       GSI user <DN> is authorized as target user <username>
       Accepted gssapi for <username> from <IP> port <port> ssh

Solution:

  Upgrade running servers to GSI-OpenSSH version 3.4, following the
  instructions at <http://grid.ncsa.uiuc.edu/ssh/install.html>, or
  upgrade to the latest NCSA GSI OpenSSH patch at
  <ftp://ftp.ncsa.uiuc.edu/aces/gssapi-openssh/openssh-3.8.1p1-20040713.patch>
  following the instructions at
  <http://grid.ncsa.uiuc.edu/ssh/installpatch.html>.

  If it is not feasible to upgrade immediately, we recommend taking
  one or more of the following actions to limit vulnerability:

  1. Ensure that SSH logins are not disabled for any accounts in your
     grid-mapfile.  The exploit requires SSH logins to be disabled for
     the user's account on the remote system, via PAM, local account
     expiration / lock (for example, due to multiple failed logins),
     invalid login shell, or OpenSSH DenyUsers setting.  If no
     mechanisms are in place to disable SSH logins, then (to the best
     of our knowledge) the vulnerability can not be exploited.
     Likewise, removing disabled logins from the grid-mapfile
     eliminates the ability to exploit the vulnerability.

  2. Temporarily disable GSI authentication by setting
     'GSSAPIAuthentication no' in
     $GLOBUS_LOCATION/etc/ssh/sshd_config.

  3. Temporarily discontinue use of GSI-enabled OpenSSH.

  4. Monitor syslog(3) for exploits with the above signature.

Acknowledgements:

  This vulnerability was originally discovered and reported by Matt
  Ford to the Virtual Data Toolkit support team, who provided
  additional assistance in investigating the vulnerability.

References:

  GSI-enabled OpenSSH:
    http://grid.ncsa.uiuc.edu/ssh/
  Grid Security Infrastructure (GSI):
    http://www.globus.org/security/
  OpenSSH:
    http://www.openssh.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFA9J6LNe2bgrslpukRAoD5AKCH/6VTuTY1Coyn1XKhWWSl+1BInACfWgWX
CEaFMQ5cHTHio9wYxCv2YTg=
=Smg9
-----END PGP SIGNATURE-----