mark.pitt at ch.ibm.com
2001-May-16 16:04 UTC
AIX SSH 2.x ssh and /etc/ftpusers NOT IBM Standard - SECURITY
During testing of ssh 2.5 from www.bull.de I have noticed a couple of things that are causing us problems. Rlogin=false We are required by security agreements to keep direct login for root locked ( chuser rlogin=false root ), which applies to rlogin and telnet commands only according to IBM documentation - ie not rsh or ftp. AIX rlogin=false means no access via telnet or rlogin, but rsh and ftp ARE allowed - however ssh does not work if rlogin=false - not only this, but having reported an illegal user as rlogin is locked, it then prompts for a password and fails even if the password is correct - if it already knows this, why does it prompt ? I would like to use ssh as rsh, but keep rlogin and telnet locked. Also, changing chuser rlogin=true while the server is running doesnt work, what is worse, the other way round does not work, this giving unintended access to the system to someone that has been blocked. ie start sshd with rlogin=true and access is permitted, set rlogin=false, then it is STILL permitted by ssh - ouch. SFTP To make any security sense of rlogin=false, it is absolutely essential to have /etc/ftpusers for root for reasons that are clear to the initiated, however sftp-daemon does NOT respect this, and provides no facility to do so - ouch. It also respects rlogin=false ( I suppose as it goes through ssh ) but this is NOT what IBM intended, and NOT standard. LOGGING 1/ Use ssh as rsh with each Sys Adm having his ( no her but I digress ) key in authorized_keys2 - then we have tracking for root user, ie who had used it, with which key, without having to create users on every single machine for every single admin. Although this might be defeatible, it does aid in problem solving to know who used root last, as the rlogin=false was intended - possibly logging to external servers etc. Other than a debug message to say ssh found a key on a particular line in the file, this is not easy to come by. Anyway, thanks for your help, I have only just started with this, so I hope the questions are not too stooopid. Mark