openssh unix dev - May 2001 - AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG !

IF ssh is a replacement for rlogin,rsh etc I can accept it respecting
rlogin=false as rlogin does and rsh does not, however scp is a replacement
for rcp, and rcp does NOT use rlogin attribute, so the implementation is
NOT standard as scp fails if rlogin=false, but rcp succeeds, as documented.


thanks


mark

Hi,

On Thu, May 17, 2001 at 08:35:17AM +0200, mark.pitt at ch.ibm.com
wrote:
> IF ssh is a replacement for rlogin,rsh etc I can accept it respecting
> rlogin=false as rlogin does and rsh does not, however scp is a replacement
> for rcp, and rcp does NOT use rlogin attribute, so the implementation is
> NOT standard as scp fails if rlogin=false, but rcp succeeds, as documented.
Sounds like a design deficiency in AIX, actually.  What good is
disallowing rlogin if you do not also disallow rsh?

I think ssh should be consistant here - either "permit remote access to
AIX box", or "not at all".

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at
greenie.muc.de
fax: +49-89-35655025                        gert.doering at
physik.tu-muenchen.de

> I think ssh should be consistant here - either "permit remote access
to
> AIX box", or "not at all".
The rlogin attribute effectively relates to pty allocation permission.
Perhaps the OpenSSH implementation should be changed so that "no-pty"
is
set if rlogin=false?  This would then match AIX's configuration (right or
wrong, but consistent!).  If I want to disallow access completely then I
simply lock the account.

The login flow would include (excuse psuedo-code):

    if rlogin = false {
        set no-pty
        force subsystem sftp-server
    }

Is it worth adding the /etc/ftpusers test to the sftp-server for all
systems?  If we want sftp to replace ftp then this would make sense.  If
the file does not exist then no harm is done since the default is to grant
access.

It is nice to allow sftp access to users that are not allowed to log in. I
achieve this today using a forced command in the user's authorized_keys
files and leave rlogin=true.  This has potential for abuse since the
lock-down is not done at an administrative level and is quite difficult to
audit.

Best wishes,
--------------------------------------------------------
  Doug Manton, AT&T EMEA Commercial Security Solutions

               E:  demanton at att.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"

As far as I understand:
rlogind allows login with password
rshd only allows access via .rhosts/hosts.equiv ! (Which is easy to remove
;-)

The difference is the possible use of a password.

(If you say 'rsh foreignhost' without command,
you actually use rlogind !)

With the current openssh-Code I've got no possibility
to disallow any remote root-login with password while
allowing RSA-Authenticated SSH-Login to root.

Therefore I would prefer rlogin=false to be ignored by sshd too.

J?rg

-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de]
...
Sounds like a design deficiency in AIX, actually.  What good is
disallowing rlogin if you do not also disallow rsh?

I think ssh should be consistant here - either "permit remote access to
AIX box", or "not at all".
...

Another point - IBM security Policies REQUIRE that any system they look
      after, their's or customer's, has rlogin=false for root set - this
      means ssh will NOT be usable at any site for which IBM is responsible
      - that means all IBM customers and IBM cannot use the product as it
      is currently configured without mountains of paperwork.

Bang go a lot of big sites, and not only AIX, but ALL systems IBM services.

Hi,
> What about 'PasswordAuthentication no' in sshd_config?
This is not my problem.
We want to disable root's using telnet and rlogin with password
(and allow RSA-User-Key Authentication)
telnet doesn't read sshd_config ... ;-)

We need some way to allow ssh without enabling telnet/rlogin!
(Disabling port 22 altogether is not a possible solution - not yet)

J?rg

-----Original Message-----
From: Jim Knoble [mailto:jmknoble at jmknoble.cx]
Sent: Thursday, May 17, 2001 10:46 PM
To: openssh-unix-dev at mindrot.org
Subject: Re: AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG !


Circa 2001-May-17 15:16:34 +0200 dixit "Petersen, J?rg":

: As far as I understand:
: rlogind allows login with password
: rshd only allows access via .rhosts/hosts.equiv ! (Which is easy to remove
: ;-)
: 
: The difference is the possible use of a password.
: 
: (If you say 'rsh foreignhost' without command,
: you actually use rlogind !)
: 
: With the current openssh-Code I've got no possibility
: to disallow any remote root-login with password while
: allowing RSA-Authenticated SSH-Login to root.

What about 'PasswordAuthentication no' in sshd_config?

-- 
jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)