openssh unix dev - Apr 2001 - Functionality bug (possibly) in openssh on AIX 4.3

Hi Folks,

While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've
found that ssh will not accept root (based on ssh key credentials) logins
at all if the AIX security features have been set to disallow remote root
logins.  If I disable the AIX security feature (enable remote root
logins), I can then do bad things like rsh, telnet, etc. into the box as
root.

This deviates somewhat from a linux (via /etc/securetty) or solaris
machine where you can disallow root logins and still have ssh allow root
access based upon credentials (i.e. PermitRootLogin without-password)

I'm submitting the patch I came up with for your consideration, but I'm
concerned that by allowing this functionality I've created a potential
hole.  I've gone over it several times, but I'm still paranoid.  

The patch basically excludes checking for restricted logins for root on a
system that has AIX_AUTHENTICATE defined.  All other users are checked
against the AIX authenication mechanism in the normal fashion.

If you do see something glaringly wrong with this approach, please let me
know so I can fix it.  If it does make sense, then I'd like to see the
change incorporated into the next release so that others who've experience
the same problems I have can have some relief. 

I've tested this on AIX 4.3.x only, and it doesn't appear to be
necessary
on older 3.2 systems, although it shouldn't hurt anything if it's
applied
on those OSs.

Thanks in advance for your consideration and review of this.

Sincerely,

Mike Messick                               email: mikem at alaska.net
Information Security Architect                Phillips Alaska, Inc.
PGP Key Fingerprint:
2048/0x57318496 053B 412B 82FC 3808 E141  CDCD 74AE 01C5 5731 8496
-------------- next part --------------
*** auth.c      Tue Apr 24 16:01:02 2001
--- ../openssh-2.5.2p2/auth.c   Mon Mar 19 13:15:57 2001
***************
*** 142,164 ****
        }
  
  #ifdef WITH_AIXAUTHENTICATE
!         if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,
S_RLOGIN, NULL, &loginmsg) != 0)) {
!                 if (loginmsg && *loginmsg) {
!                         /* Remove embedded newlines (if any) */
!                         char *p;
!                         for (p = loginmsg; *p; p++) {
!                                 if (*p == '\n')
!                                         *p = ' ';
!                         }
!                         /* Remove trailing newline */
!                         *--p = '\0';
!                         log("Login restricted for %s: %.100s",
pw->pw_name, loginmsg);
!                 }
!                 return 0;
!         }
  #endif /* WITH_AIXAUTHENTICATE */
- 
- 
  
        /* We found no reason not to let this user try to log on... */
        return 1;
--- 142,162 ----
        }
  
  #ifdef WITH_AIXAUTHENTICATE
!       if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) !=
0) {
!               if (loginmsg && *loginmsg) {
!                       /* Remove embedded newlines (if any) */
!                       char *p;
!                       for (p = loginmsg; *p; p++) {
!                               if (*p == '\n')
!                                       *p = ' ';
!                       }
!                       /* Remove trailing newline */
!                       *--p = '\0';
!                       log("Login restricted for %s: %.100s",
pw->pw_name, loginmsg);
!               }
!               return 0;
!       }
  #endif /* WITH_AIXAUTHENTICATE */
  
        /* We found no reason not to let this user try to log on... */
        return 1;