openssh bugs - Jan 2004 - [Bug 712] ssh does not properly utilize OS specified authentication methods on AIX

http://bugzilla.mindrot.org/show_bug.cgi?id=712

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |793
              nThis|                            |
             Status|NEW                         |ASSIGNED



------- Additional Comments From dtucker at zip.com.au  2004-01-22 22:09 -------
This is specific to the account configuration.  Without going into too much
detail, the problem is this:  The accounts were configured with the following
AIX authentication settings:

SYSTEM=none
auth1=somemodule
auth2=none

The problem is sshd uses AIX's authenticate() function, which knows only
SYSTEM,
not auth1 or auth2 (AFAIK those are the domain of ckuserID() which is documented
as obsolete, and would be very difficult to support sanely in sshd anyway).

I think the best sshd can do in this case is to detect an unsupportable
authentication configuration (currently my best guess is SYSTEM=NONE &&
auth1 !NONE, feedback wanted!) and deny the login.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=712

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #465 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2004-01-22 23:56 -------
Created an attachment (id=534)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=534&action=view)
Check AIX accounts for SYSTEM=NONE

First attempt at testing accounts for SYSTEM=NONE and auth1!=NONE.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=712

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|793                         |
              nThis|                            |



------- Additional Comments From dtucker at zip.com.au  2004-02-05 19:48 -------
I think it's too late for this patch to go for the next release.  Since it
has
had very limited testing, it has potential for mayhem by denying access to
accounts, simply because they have an unusual but otherwise valid config.

It should probably go in early in the next release cycle.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.