Archives

Categories

Compromised Guest Account

Some of the workstations I run are sometimes used by multiple people. Having multiple people share an account is bad for security so having a guest account for guest access is convenient.

If a system doesn’t allow logins over the Internet then a strong password is not needed for the guest account.

If such a system later allows logins over the Internet then hostile parties can try to guess the password. This happens even if you don’t use the default port for ssh.

This recently happened to a system I run. The attacker logged in as guest, changed the password, and installed a cron job to run every minute and restart their blockchain mining program if it had been stopped.

In 2007 a bug was filed against the Debian package openssh-server requesting that the AllowUsers be added to the default /etc/ssh/sshd_config file [1]. If that bug hadn’t been marked as “wishlist” and left alone for 11 years then I would probably have set it to only allow ssh connections to the one account that I desired which always had a strong password.

I’ve been a sysadmin for about 25 years (since before ssh was invented). I have been a Debian Developer for almost 20 years, including working on security related code. The fact that I stuffed up in regard to this issue suggests that there are probably many other people making similar mistakes, and probably most of them aren’t monitoring things like system load average and temperature which can lead to the discovery of such attacks.

2 comments to Compromised Guest Account

  • rjc

    Hi Russell,

    What you have written clearly shows there’s an issue with having a guest account enabled in the first place ;^)

    Let’s assume for a second that this is *not* the main issue, in which case, the account should be sufficiently stripped down as not to allow more than, i.e. X processes, Y RAM, etc. certainly not having a crontab ;^)

    This is certainly *not* an OpenSSH issue. If you must, then use AllowGroups option and add standard users to a predefined SSH users group – it’s easier to mange SSH access that way.

    Cheers,

    rjc

  • Restricting access of the guest account in that way is difficult. If the guest session is to be used for a GUI login (KDE or GNOME for the sake of discussion) then you can’t have useful process limits.

    The fact that Debian OpenSSH doesn’t have AllowUsers or AllowGroups in it’s default configuration leads to these issues, which is why a bug report was filed about it 10 years ago.