FreeBSD Sudo Upgrade Gone Wrong, Password No longer working with Sudo 1.7.2p2 / 1.7.2p3, Sudo Broken

Posted by Benjamin Close on April 14, 2010 under FreeBSD | Be the First to Comment

Recently a port audit security advisor was released that indicated an exploit with sudoedit of the security/sudo FreeBSD port. At the time I was running sudo 1.6.9 and being a responsible system administrator, I decided to upgrade sudo to the latest revision of the port (1.7.2p2 at the time). The upgrade went very smoothly, with portupgrade doing it’s job quickly and reliably. It wasn’t until I tried to use sudo for the first time after the upgrade that the problems started.

Initially I tried get a root shell using:

sudo -s

sadly after repeated password prompts I had no luck. Initially I thought I was just getting my password wrong – something I occasionally do with the amount of passwords I have to remember. However, after repeated attempts I came to the conclusion that something else was wrong.

I looked at the logs to see if they would show anything useful:



Apr 14 11:49:28 leo sudo:   benjsc : 1 incorrect password attempt ; TTY=pts/3 ; PWD=/owners/benjsc/home ; USER=root ; COMMAND=/bin/tcsh
Apr 14 11:51:09 leo sudo:   benjsc : 1 incorrect password attempt ; TTY=pts/4 ; PWD=/owners/benjsc/home ; USER=root ; COMMAND=/bin/tcsh
Apr 14 11:58:03 leo sudo:   benjsc : 1 incorrect password attempt ; TTY=pts/4 ; PWD=/owners/benjsc/home ; USER=root ; COMMAND=/bin/tcsh
Apr 14 11:58:16 leo sudo:   benjsc : 1 incorrect password attempt ; TTY=pts/4 ; PWD=/owners/benjsc/home ; USER=root ; COMMAND=/bin/tcsh

Once again nothing obvious showed up. At this point I started Googling to try and find the answer. There was a lot of articles about people trying the root password rather than the user password, but I wasn’t doing that. There was articles about people stuffing up the syntax of the sudoers file (you should use visudo to edit this). However, nothing had changed but the version of sudo. Eventually I found a post that solved the issue.

It turns out that the latest versions of sudo break pam support. Whilst the article refers to OPIE (One Time Keys), I’ve since confirmed that this issue affects machines without OPIE setup. Hence for anyone who tries to upgrade sudo to a later version and has problems with their password not being accepted, and the password prompt just continuing to reappear. Then you’ll need to patch sudo to work.

How, copy and paste the following on the console:

cd  /usr/ports/security/sudo
make extract
cd work/sudo*
patch << END
--- auth/pam.c.orig     2010-02-04 10:43:28.635212518 -0600
+++ auth/pam.c  2010-02-04 10:43:34.194558424 -0600
@@ -107,13 +107,6 @@
     }

     /*
-     * Set PAM_RUSER to the invoking user (the "from" user).
-     * We set PAM_RHOST to avoid a bug in Solaris 7 and below.
-     */
-    (void) pam_set_item(pamh, PAM_RUSER, user_name);
-    (void) pam_set_item(pamh, PAM_RHOST, user_host);
-
-    /*
      * Some versions of pam_lastlog have a bug that
      * will cause a crash if PAM_TTY is not set so if
      * there is no tty, set PAM_TTY to the empty string.

END
cd ../..
make build
make deinstall
make install

OPIE – One Time Keys

Posted by Benjamin Close on November 8, 2008 under Other | Be the First to Comment

Using External SSH access with normal password authentication is dangerous. It is susceptible to the following problems:

• People can use weak passwords which are easy to hack
• A remote machine may have a key logger on it
• Someone may be performing a man-in-the-middle type attack

Hence if you wish to access a shell account or scp files remotely you should consider using either public/private keys setup or to setup One Time Keys.

Setting Up One Time Keys

Log in to the box (AS SECURELY AS POSSIBLE)

Logging in securely is important as you’ll be asked for a pass phrase. If this is compromised you’re in trouble.

Enable OTP

Run:

 opiepasswd -c

This will enable one time keys, asking you for the pass phrase as a seed for the cipher.

Once run one time keys are enabled.

The output of the command (something like):

 ID closebs OTP key is 499 wc8001
 THY HOOK TRY FREY DED DEDE

tells you a lot.

• The 499 is the number of the current One Time Password.
• The wc80001 is a key to go with your pass phrase if you want to generate the 499 login password.
• The THY HOOK… is the password for key 499

Finding out the next N passwords

To discover the next N One Time Passwords for printing use:

 opiekey -n NUM SEQ KEY

where:

• NUM is the amount of passwords to generate
• SEQ is the sequence number of the password to start with
• KEY is the key given for the cipher

Ie:

 opiekey -n 10 499 wc80001

This will display 10 keys, starting with key 499 and using the key wc80001. This can be useful as you can then print out the keys, and put them in your wallet/purse. WHAT I hear you say?

The reality is most passwords are broken by remote hackers. Whilst printing a list of one time passwords may seem insecure, the likely hood of someone going through your purse/wallet to find the printed out keys is very low. If you are concerned about it, simple put a simple transposition in each key that only you will know about.

Disabling OTP access

Help my keys have been compromised!

Get someone to run:

 opiepasswd -d

in your account.

Changing your OTP Pass Phrase

Simply run:

 opiepasswd

This will ask you for the next OTP in order to allow you to change your key (incase your remote) Once changed all your all your existing keys will now become invalid.

Using One Time Passwords

Any time you try to ssh to the WCL, you will be presented with:

 otp-md5 497 psfasdf ext
 Password:

This indicates you are required to provide password 497. The seed is given so you can generate the required password using it and your pass phrase if required.

Depending on the server setup, you can also enter your regular password at this point.

There is no way of telling if the server will accept your regular password or not unless you know it’s configuration.

Your Away, don’t have any passwords or pub/private keys but have access to a secure machine

As long as you can guarentee the machine you are on is secure, then chances are you can generate yourself the next password in the sequence in order to be able to access the remote box.

On the box your on run:

   opiekey  SEQUENCENUM SEED

You can get SEQUENCENUM & SEED just by sshing to the box and not logging in. You’ll need your pass phrase though.