mikem at alaska.net
2001-Apr-25 01:22 UTC
Functionality bug (possibly) in openssh on AIX 4.3
Hi Folks, While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've found that ssh will not accept root (based on ssh key credentials) logins at all if the AIX security features have been set to disallow remote root logins. If I disable the AIX security feature (enable remote root logins), I can then do bad things like rsh, telnet, etc. into the box as root. This deviates somewhat from a linux (via /etc/securetty) or solaris machine where you can disallow root logins and still have ssh allow root access based upon credentials (i.e. PermitRootLogin without-password) I'm submitting the patch I came up with for your consideration, but I'm concerned that by allowing this functionality I've created a potential hole. I've gone over it several times, but I'm still paranoid. The patch basically excludes checking for restricted logins for root on a system that has AIX_AUTHENTICATE defined. All other users are checked against the AIX authenication mechanism in the normal fashion. If you do see something glaringly wrong with this approach, please let me know so I can fix it. If it does make sense, then I'd like to see the change incorporated into the next release so that others who've experience the same problems I have can have some relief. I've tested this on AIX 4.3.x only, and it doesn't appear to be necessary on older 3.2 systems, although it shouldn't hurt anything if it's applied on those OSs. Thanks in advance for your consideration and review of this. Sincerely, Mike Messick email: mikem at alaska.net Information Security Architect Phillips Alaska, Inc. PGP Key Fingerprint: 2048/0x57318496 053B 412B 82FC 3808 E141 CDCD 74AE 01C5 5731 8496 -------------- next part -------------- *** auth.c Tue Apr 24 16:01:02 2001 --- ../openssh-2.5.2p2/auth.c Mon Mar 19 13:15:57 2001 *************** *** 142,164 **** } #ifdef WITH_AIXAUTHENTICATE ! if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') ! *p = ' '; ! } ! /* Remove trailing newline */ ! *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); ! } ! return 0; ! } #endif /* WITH_AIXAUTHENTICATE */ - - /* We found no reason not to let this user try to log on... */ return 1; --- 142,162 ---- } #ifdef WITH_AIXAUTHENTICATE ! if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { ! if (loginmsg && *loginmsg) { ! /* Remove embedded newlines (if any) */ ! char *p; ! for (p = loginmsg; *p; p++) { ! if (*p == '\n') ! *p = ' '; ! } ! /* Remove trailing newline */ ! *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); ! } ! return 0; ! } #endif /* WITH_AIXAUTHENTICATE */ /* We found no reason not to let this user try to log on... */ return 1;