[rescue] SGI fw_sshd and security (findings)

[Sheldon T. Hall]

The story so far...

My SGI Challenge L (IRIX 6.5) exposes port 22 through my DSL router, so my
son can use the machine remotely, and I have it set up to warn me if anyone
tries to log in using the SGI Freeware SSHD it runs.  A few days ago,
someone from interbusiness.it probed the port.  Since I wasn't anticipating
any legitimate use of the machine from "outside," I shut down SSHD.

I mentioned this on the list, and, in the ensuing discussion, a couple of
folks offered to scan my system.  Dave McGuire ran nmap, which showed
nothing out of the ordinary.  Port 22 gave no response, since SSHD was still
shut down.

I re-enabled SSHD and Gary Nichols then fired up some high-zoot scanning
tool that actually tried to crack, or at least minutely examine, things.  It
produced an exquisite PDF file as a report, and I'm thankful to Gary for
running the thing, and for running it with the "do-not-bill-him-he-is-broke"
option.

What the report showed was that I was running OpenSSH-3.6.1p1.  I thought
that a bit odd, since I'd installed it from the CD images I mirror from
freeware.sgi.com, and their front page says they have OpenSSH-3.7.1p2.
3.7.1p2 fixes the known vulnerability in 3.6.1p1.

So ... it turns out that the "list by alpha" page on freeware.sgi.com has a
3.7.1p2 TARDIST file, but the CD images haven't been updated, and still,
even now, have 3.6.1p1.

So ... if you're running SSH on IRIX, check your version!  If you have
something earlier than 3.7.1p2, install it from the freeware.sgi.com main
page, not the CD images.

-Shel