/usr/bin/sshd isn't linked against PAM on one of my systems. What is wrong and how can I fix it?

ssh ubuntu pam

Solution 1:

It looks like your /usr/sbin/sshd binary has been overwritten.

This could mean you have had a security breach, or maybe someone just compiled a version locally and the Ubuntu version was overwritten.

The 1:4.7p1-8ubuntu1.2 (x86) version of the openssh-server definitely is definitely linked against libpam. It is conceivable that the pam support was left out of the 64bit version, but that seems unlikely.

I'd try reinstalling openssh-server:

# First back up the current binary
$ sudo cp /usr/sbin/sshd /root/sshd.bak

# reinstall the Ubuntu version
$ sudo apt-get install --reinstall openssh-server

# compare the two versions
$ sudo sha1sum /usr/sbin/sshd /root/sshd.bak

# In my case, they match:
# 8a3ccd5242380674bc45b887286faa3abb51acdb  /usr/sbin/sshd
# 8a3ccd5242380674bc45b887286faa3abb51acdb  /root/sshd.bak

If yours don't match each other (not mine), there is definitely something fishy going on and you really need to figure out where that version of sshd came from.

If they do match, then I am probably wrong and it is a bug in that version of openssh-server for 64-bit Ubuntu.

Solution 2:

Based on the information provided in the question, it looks like your sshd overwriting may not be due to a system compromise, but due to something more benign like a sysadmin trying to change the standard ssh. The reason I suspect this is some admin action, is that the system also has this non-standard ssh package installed:

quest-openssh.

You may run:

dpkg-query -L quest-openssh | grep sshd

and see whether this package contains a file /usr/bin/sshd which has overwritten your openssh server (according to Thedward, and also by my verification, quest openssh installs under /opt, but there's a (low) chance that it was configured differently). In any case, you should ask your sysadmin if he was trying to replace sshd, by what, how, and why.

To sum up my thinking: yes, your sshd has definitely been overwritten, but I think it is a bit hasty to conclude that your system was definitely compromised.

Lastly: how to fix it? Remove the quest-openssh package, reinstall the standard openssh, and ldap-auth-client which uses libpam-ldap support for the standard openssh. Generally, on a debian/ubuntu based system, there's rarely a need to install non-standard, or non-free commercial packages to get open/standard functionality. You can find more information on how to set-up openssh PAM for LDAP here: http://wiki.linuxquestions.org/wiki/Pam_ldap

Related

2 Domains on 1 server
What does "Where Can I get 40 %?" mean in this context? [closed]
Running a Windows server without an administrator in charge
Question on backups for a very small business
What is the difference between a "technologist" and a "technician"?
Lost modified /etc/hosts file on Amazon EC2 every reboot instance?
Posses vs possession [closed]
How can I restrict SSH access when the source IP is dynamic
Is "A is associated with B" equivalent to "B is associated with A?" [closed]
The most truthful lie there can be? [duplicate]
Ubuntu Upstart Error
Correct answer fo the question with 'do you'