This may not be the place to pose this question so forgive me if I should send this somewhere else. I have noticed that SSH2 appears to check user's password against the password file without executing login. We are using a security application that replaces the login binary to perform its own security checks on login, i.e.. is suspend user ids that have failed to use a successful password. Since SSH2 doesn't use the login binary that was replaced it bypasses our security product. I was wondering if this would be difficult to change, and if not where in the source code I would have to go to make such a change? Ed Information Security
> -----Original Message----- > From: Livengood, Edward [mailto:Edward.Livengood at CommerceBank.com] > > This may not be the place to pose this question so forgive me > if I should > send this somewhere else. > > I have noticed that SSH2 appears to check user's password against the > password file without executing login. We are using a > security application > that replaces the login binary to perform its own security > checks on login, > i.e.. is suspend user ids that have failed to use a > successful password. > Since SSH2 doesn't use the login binary that was replaced it > bypasses our > security product. I was wondering if this would be difficult > to change, and > if not where in the source code I would have to go to make > such a change?Now I'm not an expert, bus isn't this what the "UseLogin" parameter in sshd_config is supposed to do? The man page for sshd has more information. Greg
Thank you. That lead me to what I was looking for. Ed Information Security -----Original Message----- From: Gregory Leblanc [mailto:GLeblanc at cu-portland.edu] Sent: Thursday, September 14, 2000 5:08 PM To: 'Livengood, Edward'; 'openssh-unix-dev at mindrot.org' Subject: RE: SSH using the login binary> -----Original Message----- > From: Livengood, Edward [mailto:Edward.Livengood at CommerceBank.com] > > This may not be the place to pose this question so forgive me > if I should > send this somewhere else. > > I have noticed that SSH2 appears to check user's password against the > password file without executing login. We are using a > security application > that replaces the login binary to perform its own security > checks on login, > i.e.. is suspend user ids that have failed to use a > successful password. > Since SSH2 doesn't use the login binary that was replaced it > bypasses our > security product. I was wondering if this would be difficult > to change, and > if not where in the source code I would have to go to make > such a change?Now I'm not an expert, bus isn't this what the "UseLogin" parameter in sshd_config is supposed to do? The man page for sshd has more information. Greg
On Thu, 14 Sep 2000, Livengood, Edward wrote:> This may not be the place to pose this question so forgive me if I > should send this somewhere else. > > I have noticed that SSH2 appears to check user's password against > the password file without executing login. We are using a security > application that replaces the login binary to perform its own > security checks on login, i.e.. is suspend user ids that have failed > to use a successful password. Since SSH2 doesn't use the login > binary that was replaced it bypasses our security product. I was > wondering if this would be difficult to change, and if not where in > the source code I would have to go to make such a change?No need - just put a "UseLogin yes" in the server config file. -d -- | ``The power of accurate observation is | Damien Miller <djm at mindrot.org> | commonly called cynicism by those who | @Work <djm at ibs.com.au> | have not got it'' - George Bernard Shaw | http://www.mindrot.org