Family: Gain root remotely --> Category: infos
OpenSSH < 2.1.1 UseLogin feature Vulnerability Scan
Vulnerability Scan Summary
Checks for the remote OpenSSH version
Detailed Explanation for this Vulnerability Test
You are running a version of OpenSSH which is older than 2.1.1.
If the UseLogin option is enabled, then sshd does not switch to the
uid of the user logging in. Instead, sshd relies on login(1) to do
the job. However, if the user specifies a command for remote
execution, login(1) cannot be used and sshd fails to set the correct
user id, so the command is run with the same privilege as sshd
(usually root rights).
*** Note that Nessus did not acertain whether the UseLogin
*** option was activated or not, so this message may
*** be a false alarm
Solution : Upgrade to OpenSSH 2.1.1 or make sure
that the option UseLogin is set to no in sshd_config
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.