Note: This is an archival copy of Security Sun Alert 200790 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000605.1.
Article ID : 1000605.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2004-04-01
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

The Sun Secure Shell Daemon (sshd(1M)) May Fail to Log SSH Client IP Addresses

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
4725702

Date of Resolved Release
07-APR-2004

Impact

The Sun Secure Shell Daemon (sshd(1M)) may fail to log the IP address of client systems which connect to the sshd(1M) daemon with the ssh(1) client utility. The IP address logged will contain all zeros rather than the correct IP address.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 113273-05

x86 Platform

  • Solaris 9 without patch 114858-04

Note: Solaris 7 and 8 do not ship the Sun Secure Shell Daemon (sshd(1M)) and are therefore not impacted by this issue.

A system is only affected by this issue if the sshd configuration file (sshd_config(4)) has the "ListenAddress" keyword configured as "0.0.0.0" which means to listen on only IPv4 (see inet(3SOCKET)) configured interfaces. For example: 

    $ grep ListenAddress /etc/ssh/sshd_config
ListenAddress 0.0.0.0

To determine which interfaces on a system are configured to use IPv4 the following command can be run: 

    $ ifconfig -a4
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1400 index 2
inet 123.234.56.78 netmask ffffff00 broadcast 123.234.254.255

Symptoms

The Sun Secure Shell Daemon (sshd(1M)) by default writes to the system log (syslog(3C)) with a default severity level of "info" and a facility of "auth". If system messages of type "auth.info" or "*.info" are configured to be logged in the syslog.conf(4) file, the messages from sshd with an IP address of all zeros will look similar to: 

    $ grep sshd $(awk '/(auth.info|\*.info)/ {print $NF}' /etc/syslog.conf)
Apr  2 16:38:16 sunhost sshd[124383]: [ID 800047 auth.info] Accepted
password for username from 0.0.0.0 port 53979 ssh2

Workaround

For sites which are utilizing both IPv4 and IPv6 (see inet(3SOCKET)) network interfaces, to prevent this issue from occurring the sshd_config(4) file can be edited to listen on both IPv4 and IPv6 configured interfaces by setting the "ListenAddress" keyword to contain two colons (::). For example: 

    $ grep ^ListenAddress /etc/ssh/sshd_config
ListenAddress ::

If the sshd_config(4) file is modified, the sshd daemon needs to be sent a SIGHUP signal to re-read the file. For example, as the root user: 

    # pkill -HUP sshd

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 113273-05 or later

x86 Platform

  • Solaris 9 with patch 114858-04 or later


Modification History

References
 113273-05

 114858-04



                                                                                             


Attachments
This solution has no attachment