Under AIX there are three security settings:
expires = a fixed date at which an account is no longer valid
maxage= weeks before a password expires
maxexpires=max weeks during which a password can be changed by a user after
expiration AFTER WHICH ACCESS IS NOT ALLOWED
Beauty of maxage with expires is, that no manual intervention is required
to block inactive users.
With maxage=5 and expires=1 an inactive user will be locked out after 6
weeks, even if he knows the password, also you can avoid "smoking
joes" or
inactive accounts.
loginrestrictions in auth.c checks everything EXCEPT this.
Security problem is, this allows access when access should be denied.
Default for expires is -1, which means a password will expire as in maxage,
but the user can change his password at anytime, however once set, access
should be denied.
Being a simple soul, I have added a routine passwdexpires ( AIX Lib )
directly after loginrestrictions with the same code. I think this should
be urgently added to the code - hope this helps.
auth.c
/* mpi change expiresmsg */
#ifdef WITH_AIXAUTHENTICATE
char *loginmsg;
char *expiresmsg;
int passexpcode;
#endif /* WITH_AIXAUTHENTICATE */
#ifdef WITH_AIXAUTHENTICATE
auth.c
/* mpi change passwdexpires hinein */
if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg)
!0) {
if (loginmsg && *loginmsg) {
char *p;
for (p = loginmsg; *p; p++) {
if (*p == '\n')
*p = ' ';
}
*--p = '\0';
log("Login restricted for %s: %.100s",
pw->pw_name,
loginmsg);
}
return 0;
}
passexpcode=passwdexpired(pw->pw_name, &expiresmsg);
if ( passexpcode > 0 ) {
if (expiresmsg && *expiresmsg) {
char *e;
for (e = expiresmsg; *e; e++) {
if (*e == '\n')
*e = ' ';
}
*--e = '\0';
if ( passexpcode == 1 ) {
log("Password expired %s: %.100s",
pw->pw_name,
expiresmsg);
}
else {
log("Password expired too long or system failure
%s: %.100s", pw->pw_name, expir
esmsg);
return 0;
}
}
}
#endif /* WITH_AIXAUTHENTICATE */
* expires Defines the expiration time for the user account.
* Possible values: a valid date in the form MMDDHHMMYY or 0.
* If 0 the account does not expire. If 0101000070 the
account
* is disabled. The range for YY is:
* 00 - 38 years 2000 thru 2038
* 39 - 99 years 1939 thru 1999
* histexpire Defines the period of time in weeks that a user
* will not be able to reuse a password.
* Possible values: an integer value between 0 and 260.
* 26 (approximately 6 months) is the recommended value.
*
* maxexpired Defines the maximum number of weeks after maxage that an
expired
* password can be changed by a user. The default is -1,
which
* is equivalent to unlimited. Range: -1 to 52. maxage must
* be greater than 0 for maxexpired to be enforced. (root is
* exempt from maxexpired.)
*
-------------------------------------------------------------------------------
Base Operating System and Extensions Technical Reference, Volume 1
-------------------------------------------------------------------------------
passwdexpired Subroutine
Purpose
Checks the user's password to determine if it has expired.
Syntax
passwdexpired (UserName, Message)
char *UserName;
char **Message;
Description
The passwdexpired subroutine checks a user's password to determine if it
has
:
The passwdexpired subroutine checks a user's password to determine if it
has
expired. The subroutine checks the registry variable in the
/etc/security/user
file to ascertain where the user is administered. If the registry variable
is
not defined, the passwdexpired subroutine checks the local, NIS, and DCE
databases for the user definition and expiration time.
The passwdexpired subroutine may pass back informational messages, such as
how
many days remain until password expiration.
Parameters
UserName Specifies the user's name whose password is to be checked.
Message Points to a pointer that the passwdexpired subroutine allocates
memory
for and fills in. This string is suitable for printing and issues messages,
suchas in how many days the password will expire.
Return Values
Upon successful completion, the passwdexpired subroutine returns a value of
0.
If this subroutine fails, it returns one of the following values:
1 Indicates that the password is expired, and the user must change it.
:
2 Indicates that the password is expired, and only a system administrator
may
change it.
-1 Indicates that an internal error has occurred, such as a memory
allocation
(malloc) failure or database corruption.
Error Codes
The passwdexpired subroutine fails if one or more of the following values
is
true:
ENOENT Indicates that the user could not be found.
EPERM Indicates that the user did not have permission to check password
expiration.
ENOMEM Indicates that memory allocation (malloc) failed.
EINVAL Indicates that the parameters are not valid.
Implementation Specifics
ENOENT Indicates that the user could not be found.
EPERM Indicates that the user did not have permission to check password
expiration.
ENOMEM Indicates that memory allocation (malloc) failed.
EINVAL Indicates that the parameters are not valid.
Implementation Specifics
This subroutine is part of Base Operating System (BOS) Runtime.
Related Information
The authenticate subroutine.
The login command.
-------------------------------------------------------------------------------
Mark Pitt
SP Administrator
IBM, Campus Winterthur
058-333-1542
mouring at etoh.eviladmin.org
2001-Nov-05 16:00 UTC
Security - ssh allows unintended access on AIX
If you wish us to consider a patch.. PLEASE provide it in unified diff format. - Ben On Mon, 5 Nov 2001, Mark Pitt wrote:> > Under AIX there are three security settings: > > expires = a fixed date at which an account is no longer valid > maxage= weeks before a password expires > maxexpires=max weeks during which a password can be changed by a user after > expiration AFTER WHICH ACCESS IS NOT ALLOWED > > Beauty of maxage with expires is, that no manual intervention is required > to block inactive users. > With maxage=5 and expires=1 an inactive user will be locked out after 6 > weeks, even if he knows the password, also you can avoid "smoking joes" or > inactive accounts. > > loginrestrictions in auth.c checks everything EXCEPT this. > > Security problem is, this allows access when access should be denied. > Default for expires is -1, which means a password will expire as in maxage, > but the user can change his password at anytime, however once set, access > should be denied. > > Being a simple soul, I have added a routine passwdexpires ( AIX Lib ) > directly after loginrestrictions with the same code. I think this should > be urgently added to the code - hope this helps. > > auth.c > > /* mpi change expiresmsg */ > #ifdef WITH_AIXAUTHENTICATE > char *loginmsg; > char *expiresmsg; > int passexpcode; > #endif /* WITH_AIXAUTHENTICATE */ > > > #ifdef WITH_AIXAUTHENTICATE > > auth.c > > /* mpi change passwdexpires hinein */ > > if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) !> 0) { > > if (loginmsg && *loginmsg) { > char *p; > for (p = loginmsg; *p; p++) { > if (*p == '\n') > *p = ' '; > } > *--p = '\0'; > log("Login restricted for %s: %.100s", pw->pw_name, > loginmsg); > } > return 0; > } > > passexpcode=passwdexpired(pw->pw_name, &expiresmsg); > > if ( passexpcode > 0 ) { > > if (expiresmsg && *expiresmsg) { > char *e; > for (e = expiresmsg; *e; e++) { > if (*e == '\n') > *e = ' '; > } > *--e = '\0'; > > if ( passexpcode == 1 ) { > log("Password expired %s: %.100s", pw->pw_name, > expiresmsg); > } > else { > log("Password expired too long or system failure > %s: %.100s", pw->pw_name, expir > esmsg); > return 0; > } > } > > } > > #endif /* WITH_AIXAUTHENTICATE */ > > > * expires Defines the expiration time for the user account. > * Possible values: a valid date in the form MMDDHHMMYY or 0. > * If 0 the account does not expire. If 0101000070 the > account > * is disabled. The range for YY is: > * 00 - 38 years 2000 thru 2038 > * 39 - 99 years 1939 thru 1999 > > * histexpire Defines the period of time in weeks that a user > * will not be able to reuse a password. > * Possible values: an integer value between 0 and 260. > * 26 (approximately 6 months) is the recommended value. > * > * maxexpired Defines the maximum number of weeks after maxage that an > expired > * password can be changed by a user. The default is -1, > which > * is equivalent to unlimited. Range: -1 to 52. maxage must > * be greater than 0 for maxexpired to be enforced. (root is > * exempt from maxexpired.) > * > ------------------------------------------------------------------------------- > Base Operating System and Extensions Technical Reference, Volume 1 > ------------------------------------------------------------------------------- > > passwdexpired Subroutine > > Purpose > > Checks the user's password to determine if it has expired. > > Syntax > > passwdexpired (UserName, Message) > > char *UserName; > > char **Message; > > Description > > The passwdexpired subroutine checks a user's password to determine if it > has > : > The passwdexpired subroutine checks a user's password to determine if it > has > expired. The subroutine checks the registry variable in the > /etc/security/user > file to ascertain where the user is administered. If the registry variable > is > not defined, the passwdexpired subroutine checks the local, NIS, and DCE > databases for the user definition and expiration time. > > The passwdexpired subroutine may pass back informational messages, such as > how > many days remain until password expiration. > > Parameters > > UserName Specifies the user's name whose password is to be checked. > > Message Points to a pointer that the passwdexpired subroutine allocates > memory > for and fills in. This string is suitable for printing and issues messages, > suchas in how many days the password will expire. > > Return Values > > Upon successful completion, the passwdexpired subroutine returns a value of > 0. > If this subroutine fails, it returns one of the following values: > > 1 Indicates that the password is expired, and the user must change it. > : > > 2 Indicates that the password is expired, and only a system administrator > may > change it. > > -1 Indicates that an internal error has occurred, such as a memory > allocation > (malloc) failure or database corruption. > > Error Codes > > The passwdexpired subroutine fails if one or more of the following values > is > true: > > ENOENT Indicates that the user could not be found. > > EPERM Indicates that the user did not have permission to check password > expiration. > > ENOMEM Indicates that memory allocation (malloc) failed. > > EINVAL Indicates that the parameters are not valid. > > Implementation Specifics > > ENOENT Indicates that the user could not be found. > > EPERM Indicates that the user did not have permission to check password > expiration. > > ENOMEM Indicates that memory allocation (malloc) failed. > > EINVAL Indicates that the parameters are not valid. > > Implementation Specifics > > This subroutine is part of Base Operating System (BOS) Runtime. > > Related Information > > The authenticate subroutine. > > The login command. > ------------------------------------------------------------------------------- > > > Mark Pitt > SP Administrator > IBM, Campus Winterthur > 058-333-1542 > > >
On Mon, 5 Nov 2001, Mark Pitt wrote:> Being a simple soul, I have added a routine passwdexpires ( AIX Lib ) > directly after loginrestrictions with the same code. I think this should > be urgently added to the code - hope this helps.Could you send this as a unified diff ?diff -u?, it makes it much easier to review and merge. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)