bugzilla-daemon at mindrot.org
2007-Feb-13 13:55 UTC
[Bug 1284] allow sftp when rlogin=false
http://bugzilla.mindrot.org/show_bug.cgi?id=1284 Summary: allow sftp when rlogin=false Product: Portable OpenSSH Version: v4.5p1 Platform: Other OS/Version: AIX Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: dleonard at vintela.com I was looking at the "OpenSSH on AIX" project patches on sourceforge, and was interested to see this issue: On AIX, you can set 'rlogin=false' on particular users and deny them remote shell access. OpenSSH supports that. However, sftp is still a desirable service to access, and is not considered a remote shell. Currently, openssh denies any user with rlogin=false set. The abbreviated patch below shows how the check was changed in the openssh-aix project to support session and not subsystem denial. (not shown is the global int rlogin): --- openssh-4.3p2/openbsd-compat/port-aix.c Sat May 28 19:54:28 2005 +++ 52/openbsd-compat/port-aix.c Sun May 14 05:19:43 2006 @@ -231,231 +231,234 @@ debug3("%s: not checking", __func__); return 1; } + if (getuserattr(pw->pw_name, S_RLOGINCHK, &rlogin, SEC_BOOL) =-1) + rlogin=1; - result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg); + result = loginrestrictions(pw->pw_name, 0, NULL, &msg); if (result == 0) permitted = 1; /* --- openssh-4.3p2/session.c Tue Feb 7 17:18:55 2006 +++ 52/session.c Sun May 14 05:19:16 2006 @@ -660,532 +666,672 @@ debug("Forced command '%.900s'", command); } + /* if remote login is set to false in "/etc/security/user", + you should still be able to "sftp" but not "ssh" */ + if (!rlogin) { + if (!s->is_subsystem) + packet_disconnect("Remote login for account %.100s is not allowed.", s->pw->pw_name); + } + #ifdef SSH_AUDIT_EVENTS if (command != NULL) PRIVSEP(audit_run_command(command)); (Source: http://sourceforge.net/project/showfiles.php?group_id=127997&package_id=144624&release_id=482265 ) I know that the above is an ugly solution and doesn't consider other subsystem types (that may be session-like), but thought it would be worth adding into bugzilla ... maybe someone can see a clean way of supporting this. (openssh-aix's patch is actually buggy as described at: "Bypasses rlogin=false" at http://sourceforge.net/tracker/index.php?func=detail&aid=1346058&group_id=127997&atid=710254 and "sftp login allowed when rlogin=false" at http://sourceforge.net/tracker/index.php?func=detail&aid=1552074&group_id=127997&atid=710254 ) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.