ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005491ClearOSapp-ssh-server - SSH Serverpublic2015-10-07 12:082016-12-22 09:30
Reporterbchambers 
Assigned Topbaldwin 
PrioritynormalSeverityminorReproducibilitysometimes
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.1.0 RC1 
Target Version7.3.0 Beta 1Fixed in Version7.3.0 Beta 1 
Summary0005491: Users with weak passwords and no shell can become mail relays
DescriptionCustomer was using Active Directory connector. A user in the AD had a weak username/password combo...very weak. Not limited to AD connector...LDAP user with weak user/pass would also be susceptible.

Looks like this hack was used that we've seen once or twice before to become a spam relay:

https://www.rackaid.com/blog/spam-ssh-tunnel/ [^]

As per doc, we should really ship SSH with default:

AllowTCPForwarding no

And expose this variable in Webconfig.
Additional InformationWhy am I having Deja vu? No tracker was ever submitted?
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2015-10-07 12:08 bchambers New Issue
2015-10-07 12:33 pbaldwin Status new => confirmed
2016-09-20 14:58 pbaldwin Status confirmed => resolved
2016-09-20 14:58 pbaldwin Fixed in Version => 7.3.0 Beta 1
2016-09-20 14:58 pbaldwin Resolution open => fixed
2016-09-20 14:58 pbaldwin Assigned To => pbaldwin
2016-09-20 14:58 pbaldwin Target Version => 7.3.0 Beta 1
2016-11-16 09:12 pbaldwin Target Version 7.3.0 Beta 1 => 7.3.0 Beta 1
2016-11-16 09:12 pbaldwin Fixed in Version 7.3.0 Beta 1 => 7.3.0 Beta 1
2016-12-20 11:40 pbaldwin Issue cloned: 0012021
2016-12-20 11:40 pbaldwin Relationship added related to 0012021
2016-12-22 09:30 pbaldwin Status resolved => closed