mouring at etoh.eviladmin.org
2001-Apr-26 23:00 UTC
Functionality bug (possibly) in openssh on AIX 4.3 (fwd)
Has anyone else running AIX tried this patch? I'm looking for feedback if it should be applied before we release 2.9p1. - Ben ---------- Forwarded message ---------- Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT) From: mikem at alaska.net To: openssh-unix-dev at mindrot.org Subject: Functionality bug (possibly) in openssh on AIX 4.3 Hi Folks, While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've found that ssh will not accept root (based on ssh key credentials) logins at all if the AIX security features have been set to disallow remote root logins. If I disable the AIX security feature (enable remote root logins), I can then do bad things like rsh, telnet, etc. into the box as root. [...] *** auth.c Tue Apr 24 16:01:02 2001 --- ../openssh-2.5.2p2/auth.c Mon Mar 19 13:15:57 2001 *************** *** 142,164 **** } #ifdef WITH_AIXAUTHENTICATE ! if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') ! *p = ' '; ! } ! /* Remove trailing newline */ ! *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); ! } ! return 0; ! } #endif /* WITH_AIXAUTHENTICATE */ - - /* We found no reason not to let this user try to log on... */ return 1; --- 142,162 ---- } #ifdef WITH_AIXAUTHENTICATE ! if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') ! *p = ' '; ! } ! /* Remove trailing newline */ ! *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); ! } ! return 0; ! } #endif /* WITH_AIXAUTHENTICATE */ /* We found no reason not to let this user try to log on... */ return 1;
David Bronder
2001-Apr-26 23:42 UTC
[openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd)
I haven't tried the patch (still fighting another possibly-AIX problem that I haven't seen other reports of yet). But I'd recommend against this patch, at least as a default. What he is proposing is for OpenSSH to disregard a system-wide policy decision -- that root should not be permitted to directly log in from the network. There are more reasons to disable remote logins as root (vs. normal login then su) than just to prevent plaintext use of the root password; for example, audit trails for a group of admins or site security policies. This patch would violate the expected behavior of the system. A good compromise would probably be to make it a configure-time feature that also required a run-time config option to enable it (defaulting to the current and expected behavior). That way, it's only active if the admin consciously chooses it. =Dave mouring at etoh.eviladmin.org wrote:> > > Has anyone else running AIX tried this patch? I'm looking for feedback > if it should be applied before we release 2.9p1. > > - Ben > > ---------- Forwarded message ---------- > Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT) > From: mikem at alaska.net > To: openssh-unix-dev at mindrot.org > Subject: Functionality bug (possibly) in openssh on AIX 4.3 > > > Hi Folks, > > While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've > found that ssh will not accept root (based on ssh key credentials) logins > at all if the AIX security features have been set to disallow remote root > logins. If I disable the AIX security feature (enable remote root > logins), I can then do bad things like rsh, telnet, etc. into the box as > root. > > [...] >-- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu
Markus Friedl wrote:> > On Fri, Apr 27, 2001 at 10:25:35AM +0900, Tom Holroyd wrote: > > root:x:0:0:root:/root:/bin/sh > > fred:x:0:0:root:/root:/bin/sh > > joe:x:0:0:root:/root:/bin/sh > > frank:x:0:0:root:/root:/bin/sh > > not all systems support this. > > some systems hash the passwd database by uid. >AIX included (optionally)... :) -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu