From owner-doc-jp@jp.freebsd.org  Mon Jun 19 14:11:57 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id OAA66229;
	Mon, 19 Jun 2000 14:11:57 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO9.gate.nec.co.jp (TYO9-2.gate.nec.co.jp [202.247.6.44])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id OAA66223
	for <doc-jp@jp.freebsd.org>; Mon, 19 Jun 2000 14:11:56 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv.nec.co.jp (mailsv-le1 [192.168.1.90])
	by TYO9.gate.nec.co.jp (8.9.3/3.7W00052210) with ESMTP id OAA12150
	for <doc-jp@jp.freebsd.org>; Mon, 19 Jun 2000 14:11:56 +0900 (JST)
Received: from mmssv.mms.mt.nec.co.jp (mmssv.mms.mt.nec.co.jp [133.201.63.216]) by mailsv.nec.co.jp (8.9.3/3.7W-MAILSV-NEC) with ESMTP
	id OAA23378 for <doc-jp@jp.freebsd.org>; Mon, 19 Jun 2000 14:11:55 +0900 (JST)
Received: from koga.do.mms.mt.nec.co.jp (koga.do.mms.mt.nec.co.jp [10.16.5.16]) by mmssv.mms.mt.nec.co.jp (8.8.4+2.7Wbeta4/3.4W3MMS96052011) with ESMTP id OAA17662 for <doc-jp@jp.freebsd.org>; Mon, 19 Jun 2000 14:06:25 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by koga.do.mms.mt.nec.co.jp (8.10.2/3.7W-00052406) with ESMTP id e5J5Br045976;
	Mon, 19 Jun 2000 14:11:53 +0900 (JST)
Message-Id: <200006190511.e5J5Br045976@koga.do.mms.mt.nec.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <200006181703.CAA19046@mail.geocities.co.jp>
References: <20000608001716.C549937BF12@hub.freebsd.org>
	<20000618132323.6053.qmail@smtp.246.ne.jp>
	<200006181703.CAA19046@mail.geocities.co.jp>
X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Mon_Jun_19_14:08:44_2000_982)--"
Content-Transfer-Encoding: 7bit
Date: Mon, 19 Jun 2000 14:11:52 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 234
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7464
Subject: [doc-jp 7464] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:21.ssh [REVISED]
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

----Next_Part(Mon_Jun_19_14:08:44_2000_982)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#$5$s(B:
>  $B!A$J$$$G$"$m$&$3$H$K!A$"$?$j$,(B
>  $B$^$o$j$/$I$$46$8$,$7$?$N$G!"$A$g$C$H=q$-49$($F$_$^$7$?!#(B

$B$[$\$=$N$^$^:NMQ$7$^$7$?$G$9!#(B17:00 $B$4$m$KN.$7$^$9!#(B

--- FreeBSD-SA-00-21.ssh.BAK	Mon Jun 19 14:04:11 2000
+++ FreeBSD-SA-00-21.ssh	Mon Jun 19 14:07:32 2000
@@ -68,12 +68,12 @@
 port. The risk is that users may be able to access the SSH server from
 IP addresses which are prohibited to connect to the standard port.
 
-$B$3$NLdBj$O(B, SSH $B%=%U%H%&%'%"<+BN$K4XO"$9$k<eE@$G$O$J$$$3$H(B, $B$=$7$F(B
-$B%j%b!<%H%f!<%6$,(B SSH $B%5!<%P$K%"%/%;%9$9$k$K$O(B, $BLdBj$N%]!<%H$K$D$$$F$b(B
-$B@5Ev$J(B SSH $B$N>ZL@=q$r;}$C$F$$$kI,MW$,$"$k$?$a(B, $B%$%s%9%H!<%k$5$l$?%7%9(B
-$B%F%`$NBgB??t$K$D$$$F$O$=$l$[$I$N4m81$K$O$J$i$J$$$G$"$m$&$3$H$KCm0U$7$F(B
-$B$/$@$5$$(B. $BDL>o$N(B SSH $B$N%5!<%S%9%]!<%H$K$D$$$F$O%"%/%;%9$r5qH]$7$F$$$k(B 
-IP $B%"%I%l%9$+$i$N%"%/%;%9$,$G$-$F$7$^$&$3$H$,LdBj$J$N$G$9(B.
+$B$3$NLdBj$O(B SSH $B%=%U%H%&%'%"<+BN$K4XO"$9$k<eE@$G$O$"$j$^$;$s(B.  $B$^$?(B, 
+SSH $B%5!<%P$NHsI8=`$N%]!<%H$K%"%/%;%9$9$k>l9g$b(B, $B%j%b!<%H%f!<%6$OM-8z$J(B 
+SSH $B$N>ZL@=q$r;}$C$F$$$kI,MW$,$"$k$?$a(B, $B%$%s%9%H!<%k$5$l$?%7%9%F%`$NBg(B
+$BB??t$K$H$C$F$O4m81$J$b$N$G$O$J$$$G$7$g$&(B.  $BLdBj$O(B, SSH $B$NI8=`%]!<%H$X(B
+$B%"%/%;%9$,5v2D$5$l$F$$$J$$(B IP $B%"%I%l%9$+$i(BSSH $B%5!<%P$K%"%/%;%9$9$k$3$H(B
+$B$,$G$-$F$7$^$&2DG=@-$,$"$k(B, $B$H$$$&$3$H$G$9(B.
 
 The ssh port is not installed by default, nor is it "part of FreeBSD"
 as such: it is part of the FreeBSD ports collection, which contains


$B;D$j$O(B FreeBSD-SA-00:22 $B$H(B FreeBSD-SA-00:25 $B$+$J!#(B
----
$B$3$,$h$&$$$A$m$&(B

----Next_Part(Mon_Jun_19_14:08:44_2000_982)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="FreeBSD-SA-00-21.ssh"

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:21.ssh [REVISED]
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed,  7 Jun 2000 17:17:16 -0700 (PDT)
  Message-Id: <20000608001716.C549937BF12@hub.freebsd.org>
  X-Sequence: announce-jp 455

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-00:21                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	ssh port listens on extra network port [REVISED]

$BJ,N`(B:		ports
$B%b%8%e!<%k(B:	ssh
$B9pCNF|(B:		2000-06-07
$B%/%l%8%C%H(B:	Jan Koum <jkb@best.com>
$B1F6AHO0O(B:	Ports collection
$B=$@5F|(B:		2000-04-21 
FreeBSD $B$K8GM-$+(B:	Yes

I.   $BGX7J(B - Background

SSH is an implementation of the Secure Shell protocol for providing
encrypted and authenticated communication between networked machines.

SSH $B$O(B, $B%M%C%H%o!<%/>e$N%^%7%s4V$K$*$1$kDL?.$N0E9f2=$HG'>Z$rDs6!$9$k(B
Secure Shell protocol $B$N<BAu$G$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly
configured the SSH daemon to listen on an additional network port,
722, in addition to the usual port 22. This change was made as part of
a patch to allow the SSH server to listen on multiple ports, but the
option was incorrectly enabled by default.

2000$BG/(B1$B7n(B14$BF|$K(B SSH $B$N(B FreeBSD $B$N(B port $B$KDI2C$5$l$?%Q%C%A$G$O(B, SSH $B%G(B
$B!<%b%s$N@_Dj$,ITE,@Z$J$b$N$K$J$C$F$*$j(B, SSH $B$NDL>o$N%5!<%S%9%]!<%H$G$"(B
$B$k(B 22$BHV$K2C$($F(B, 722$BHV%]!<%H$G$b(B listen $B$9$k$h$&$K$J$C$F$$$^$9(B. $B$3$NJQ(B
$B99$O(B, SSH $B%5!<%P$,J#?t$N%]!<%H$G(B listen $B$G$-$k$h$&$K$9$k$?$a$N$b$N$G$7(B
$B$?$,(B, $B$=$N%*%W%7%g%s$,ITE,@Z$K$b%G%U%)%k%H$GM-8z$K$J$C$F$$$^$7$?(B.

This may cause a violation of security policy if the additional port
is not subjected to the same access-controls (e.g. firewallling) as
the standard SSH port.

$B$3$N$?$a(B, $BDI2C$5$l$k%5!<%S%9%]!<%H$K$D$$$F(B, $BI8=`$N(B SSH $B$N%5!<%S%9%]!<(B
$B%H$HF1$8%"%/%;%9@)8f$r$+$1$F$$$J$1$l$P(B, $B%5%$%H$N%;%-%e%j%F%#%]%j%7$K(B
$B0cH?$9$k2DG=@-$,$"$j$^$9(B.

Note this is not a vulnerability associated with the SSH software
itself, and it is not likely to be a risk for the majority of
installations, since a remote user must still have valid SSH
credentials in order to access the SSH server on the alternate
port. The risk is that users may be able to access the SSH server from
IP addresses which are prohibited to connect to the standard port.

$B$3$NLdBj$O(B SSH $B%=%U%H%&%'%"<+BN$K4XO"$9$k<eE@$G$O$"$j$^$;$s(B.  $B$^$?(B, 
SSH $B%5!<%P$NHsI8=`$N%]!<%H$K%"%/%;%9$9$k>l9g$b(B, $B%j%b!<%H%f!<%6$OM-8z$J(B 
SSH $B$N>ZL@=q$r;}$C$F$$$kI,MW$,$"$k$?$a(B, $B%$%s%9%H!<%k$5$l$?%7%9%F%`$NBg(B
$BB??t$K$H$C$F$O4m81$J$b$N$G$O$J$$$G$7$g$&(B.  $BLdBj$O(B, SSH $B$NI8=`%]!<%H$X(B
$B%"%/%;%9$,5v2D$5$l$F$$$J$$(B IP $B%"%I%l%9$+$i(BSSH $B%5!<%P$K%"%/%;%9$9$k$3$H(B
$B$,$G$-$F$7$^$&2DG=@-$,$"$k(B, $B$H$$$&$3$H$G$9(B.

The ssh port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
over 3300 third-party applications in a ready-to-install format. The
ports collection shipped with FreeBSD 4.0 contains this problem since
it was discovered after the release.

ssh $B$N(B port $B$O%G%U%)%k%H$G%$%s%9%H!<%k$5$l$k$b$N$G$O$J$/(B, FreeBSD $B%7%9(B
$B%F%`$N0lIt$r9=@.$9$k$b$N$G$b$"$j$^$;$s(B. $B$=$l$i$O(B, 3300 $B$rD6$($k%5!<%I(B
$B%Q!<%F%#@=$N%"%W%j%1!<%7%g%s$,$9$0$K%$%s%9%H!<%k$G$-$k7A$G<}$a$i$l$F$$(B
$B$k(B FreeBSD Ports Collection $B$N0lIt$G$9(B. FreeBSD 4.0 $B$H$H$b$K=P2Y$5$l$?(B 
ports $B%3%l%/%7%g%s$O(B, $B%j%j!<%98e$KLdBj$,8+$D$+$C$?$?$a$K$3$NLdBj$r4^$s(B
$B$G$$$^$9(B.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

FreeBSD $B$G$O(B, $B$3$N$h$&$J%5!<%I%Q!<%F%#@=%"%W%j%1!<%7%g%s$N%;%-%e%j%F%#(B
$BLdBj$KBP$7$F(B, $BFC$K2?$+$r<gD%$9$k$3$H$O$"$j$^$;$s(B ($BLuCm(B: Ports
Collection $B$KF~$C$F$$$k$+$i$H$$$C$F(B, FreeBSD $B$N3+H/<T$?$A$,$=$N%"%W%j(B
$B%1!<%7%g%s$,0BA4$G$"$k$HI>2A$7$?$o$1$G$O$"$j$^$;$s(B). $B$?$@$7(B, $B%;%-%e%j(B
$B%F%#LdBj$KBP$7$FBg$-$J1F6A$r;}$D$h$&$J(B ports $B$KBP$9$k%;%-%e%j%F%#4F::(B
$B$rDs6!$9$Y$/(B, $B8=:_EXNOCf$G$9(B. 

FreeBSD 4.0 ships with OpenSSH, a free implementation of the SSH
protocol, included within the base system. OpenSSH does not suffer
from this misconfiguration.

FreeBSD 4.0 $B$K$O(B SSH $B%W%m%H%3%k$N%U%j!<$N<BAu$G$"$k(B OpenSSH $B$,(B base $B%7(B
$B%9%F%`Cf$K4^$^$l$F$$$^$9(B. OpenSSH $B$G$O(B, $B$3$N@_Dj%_%9$NLdBj$O$"$j$^$;$s(B.

III. $B1F6AHO0O(B - Impact

Remote users with valid SSH credentials may access the ssh server on a
non-standard port, potentially bypassing IP address access controls on
the standard SSH port.

$B@5Ev$J(B SSH $B$N>ZL@=q$r;}$D%j%b!<%H$N%f!<%6$,(B, $BHsI8=`$N%]!<%H$G(B listen 
$B$7$F$$$k(B SSH $B%5!<%P$K%"%/%;%9$9$k$3$H$,2DG=$G$9(B. $B$3$l$K$h$j(B, $BI8=`$N(B 
SSH $B$N%5!<%S%9%]!<%H$K$D$$$F(B IP $B%"%I%l%9$G$N%"%/%;%9@)8f$r9T$J$C$F$$$k(B
$B>l9g!"$3$l$r2sHr$9$k$3$H$,$G$-$F$7$^$&4m81@-$,$"$j$^$9!#(B

If you have not chosen to install the ssh port/package, or installed
it prior to 2000-01-14 or after 2000-04-21, then your system is not
vulnerable to this problem.

ssh $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$J$1$l$P(B, $B$^$?$O(B 2000$BG/(B1$B7n(B14$BF|(B
$B$h$jA0$+(B 2000$BG/(B4$B7n(B21$BF|0J9_$N(B ssh $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$(B
$B$l$P(B, $B$=$N%7%9%F%`$K$3$NLdBj$K$D$$$F$N%;%-%e%j%F%#>e$N<eE@$O$"$j$^$;$s(B.

IV.  $BBP1~:v(B - Workaround

One of the following:

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$(B.

1) Comment out the line "Port 722" in /usr/local/etc/sshd_config and
restart sshd

1) /usr/local/etc/sshd_config $B%U%!%$%kCf$N(B "Port 722" $B$H$$$&9T$r%3%a%s(B
$B%H%"%&%H$7(B, sshd $B$r:F5/F0$9$k(B.

2) Add filtering rules to your perimeter firewall, or on the local
machine (using ipfw or ipf) to limit connections to port 722.

2) 722$BHV%]!<%H$X$N%3%M%/%7%g%s$r@)8B$9$k$h$&$K(B, $B6-3&$N%U%!%$%"%&%)!<%k(B
$B$+(B, (ipfw $B$d(B ipf $B$r;HMQ$7$F(B) $B%m!<%+%k%^%7%s$K%U%#%k%?%j%s%0%k!<%k$rDI(B
$B2C$9$k(B.

3) Deinstall the ssh port/package, if you you have installed it.

3) ssh $B$N(B port/package $B$r%$%s%9%H!<%k$7$F$$$k>l9g(B, $B$=$l$r%"%s%$%s%9%H(B
$B!<%k$9$k(B.

V.   $B=$@5=hCV(B - Solution

One of the following:

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$(B.

1) Upgrade your entire ports collection and rebuild the ssh port.

1) Ports Collection $BA4BN$r99?7$7$F(B, ssh $B$N(B port $B$r:F%3%s%Q%$%k$9$k(B.

2) download a new port skeleton for the ssh port from:

http://www.freebsd.org/ports/

and use it to rebuild the port. Note that packages are not provided
for the ssh port.

2) $B0J2<$N>l=j$+$i(B ssh $B$N?7$7$$(B port $B%9%1%k%H%s$r%@%&%s%m!<%I$7(B,
   $B$=$l$r;HMQ$7$F(B ssh $B$N(B port $B$r:F%3%s%Q%$%k$9$k(B.

http://www.freebsd.org/ports/

3) Use the portcheckout utility to automate option (2) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

3) portcheckout $B%f!<%F%#%j%F%#$r;HMQ$9$k$H(B, $B>e5-(B (2) $B$r<+F0E*$K(B
   $B9T$J$&$3$H$,$G$-$^$9(B.  portcheckout $B$O(B,
   /usr/ports/devel/portcheckout $B$d(B, $B0J2<$N>l=j$+$iF~<j2DG=$G$9(B. 

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

VI.   $B99?7MzNr(B - Revision History

v1.0  2000-06-07  Initial release
v1.1  2000-06-07  Corrected typo in name of sshd config file

v1.0  2000-06-07  $B=iHG8x3+(B
v1.1  2000-06-07  sshd $B@_Dj%U%!%$%kL>$N4V0c$$$r=$@5(B

----Next_Part(Mon_Jun_19_14:08:44_2000_982)----
