Hello everyone,
I have been given the task of working out a number of issues with
OpenSSH for my company (Hertz).
I have been following the mailing list for several days now and I'm
beginning to compile a list of who is working on what. To make my task
faster, it would nice if the people working on the following issues
would drop me a email before I start to rewrite their code and get it
wrong. :-)
I am dealing with AIX 4.3.3, AIX 5.x, and OpenSSH 2.5.1p1 and 2.9.9p2.
I'm sure some of these issues have been fixed.
The issues are:
1. Allows login even though the password has expired either from age
or after being reset by a security analyst.
2. Doesn't update AIX's "failed login count", consequently
the ID is
not locked after 5 invalid login attempts.
3. Doesn't record the failed login in AIX's failedlogin log.
4. Doesn't post logged in users to the wtmp file causing it to
appear as if no one is logged in.
5. Corrupts the file that stores the last login date for users
making it impossible to lock or remove accounts for inactivity.
6. Doesn't honor the /etc/ftpusers to restrict sftp access. Any
users can use ftp through SSH.
7. Syslog entries for SSH login don't differentiate between SSH,
SFTP, or other tunneled logins.
8. OpenSSH doesn't show user logouts in syslog like F-Secure does.
My first step is to move both envirements to 3.4p1 and retest.
On 26 Jul 2002, Mark Grennan wrote:> Hello everyone, > > I have been given the task of working out a number of issues with > OpenSSH for my company (Hertz). > > I have been following the mailing list for several days now and I'm > beginning to compile a list of who is working on what. To make my task > faster, it would nice if the people working on the following issues > would drop me a email before I start to rewrite their code and get it > wrong. :-) > > I am dealing with AIX 4.3.3, AIX 5.x, and OpenSSH 2.5.1p1 and 2.9.9p2. > I'm sure some of these issues have been fixed. > > The issues are: > > 1. Allows login even though the password has expired either from age > or after being reset by a security analyst. >This is an outstanding issue. I doubt this will be fixed by 3.5 release. Mainly because one has to do two different paths. First one would be for v1 protocol (password change over TTY) and the other is v2 (password change via SSH_MSG_CHANGE_PASSWORD_REQ). The latter does not have a serverside framework just client side.> 2. Doesn't update AIX's "failed login count", consequently the ID is > not locked after 5 invalid login attempts. > > 3. Doesn't record the failed login in AIX's failedlogin log. > > 4. Doesn't post logged in users to the wtmp file causing it to > appear as if no one is logged in. >These should be fixed. I did not get around to setting up my 5.x/4.3.3 box that was donated to me for testing. (Tonight, I hope!)> 5. Corrupts the file that stores the last login date for users > making it impossible to lock or remove accounts for inactivity. >Not heard of this.> 6. Doesn't honor the /etc/ftpusers to restrict sftp access. Any > users can use ftp through SSH. >I believe we stated it was not correct to depends on /etc/ftpusers. Check the mailinglist archives.> 7. Syslog entries for SSH login don't differentiate between SSH, > SFTP, or other tunneled logins. >Don't think it should. sftp is just like doing 'ssh remote /path/to/sftp-server'. Never looked at how tunneling is logged.> 8. OpenSSH doesn't show user logouts in syslog like F-Secure does. > > My first step is to move both envirements to 3.4p1 and retest. >Test with the current snapshots. There was a whole slew of fixes Daz, myself, and others have done since 3.4 release. There are no new features in --current. It is all bug fixes so it should be just as safe as 3.4.
hi, On Fri, Jul 26, 2002 at 02:31:23PM -0500, Mark Grennan wrote:> 4. Doesn't post logged in users to the wtmp file causing it to > appear as if no one is logged in.I haven't seen this with OpenSSH 3.3p1 or 3.4p1 on AIX 4.2.x or 4.3.x. So maybe your version of OpenSSH is just too old. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
Mark.... At least on 5.1, openSSH is supported by IBM via it's AIX support channels. You might want to also take these up via a PMR or 2... Mark Grennan wrote:> Hello everyone, > > I have been given the task of working out a number of issues with > OpenSSH for my company (Hertz). > > I have been following the mailing list for several days now and I'm > beginning to compile a list of who is working on what. To make my task > faster, it would nice if the people working on the following issues > would drop me a email before I start to rewrite their code and get it > wrong. :-) > > I am dealing with AIX 4.3.3, AIX 5.x, and OpenSSH 2.5.1p1 and 2.9.9p2. > I'm sure some of these issues have been fixed. > > The issues are: > > 1. Allows login even though the password has expired either from age > or after being reset by a security analyst. > > 2. Doesn't update AIX's "failed login count", consequently the ID is > not locked after 5 invalid login attempts. > > 3. Doesn't record the failed login in AIX's failedlogin log. > > 4. Doesn't post logged in users to the wtmp file causing it to > appear as if no one is logged in. > > 5. Corrupts the file that stores the last login date for users > making it impossible to lock or remove accounts for inactivity. > > 6. Doesn't honor the /etc/ftpusers to restrict sftp access. Any > users can use ftp through SSH. > > 7. Syslog entries for SSH login don't differentiate between SSH, > SFTP, or other tunneled logins. > > 8. OpenSSH doesn't show user logouts in syslog like F-Secure does. > > My first step is to move both envirements to 3.4p1 and retest. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Steven A. Bade UNIX Network Security Cryptographic Strategy and Development Architecture sbade at austin.ibm.com T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" this mess is so big and so bad and so tall, we cannot clean it up, there is no way at all (Cat in the Hat)