bugzilla-daemon at mindrot.org
2002-Aug-22 21:46 UTC
[Bug 383] PublicKeyAuthentication failure when rlogin set to false
http://bugzilla.mindrot.org/show_bug.cgi?id=383 ------- Additional Comments From markus at openbsd.org 2002-08-23 07:46 ------- what does "rlogin set to false" mean? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Aug-22 22:35 UTC
[Bug 383] PublicKeyAuthentication failure when rlogin set to false
http://bugzilla.mindrot.org/show_bug.cgi?id=383 ------- Additional Comments From jim.a.davidson at bt.com 2002-08-23 08:35 ------- On an AIX system,if chuser rlogin=false <account> is set then it is no longer possible using PublicKeyAuthentication to issue ssh <command> or scp using that account. We need to be able to do this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Aug-23 00:03 UTC
[Bug 383] PublicKeyAuthentication failure when rlogin set to false
http://bugzilla.mindrot.org/show_bug.cgi?id=383 ------- Additional Comments From mouring at eviladmin.org 2002-08-23 10:03 ------- My suggestion is the following (since I'm not 100% up to speed on AIX). do sshd -d -d -d with rlogin=false then return it with rlogin=true. Diff the two and hopefully that will narrow down the differences. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Aug-23 02:24 UTC
[Bug 383] PublicKeyAuthentication failure when rlogin set to false
http://bugzilla.mindrot.org/show_bug.cgi?id=383
------- Additional Comments From dtucker at zip.com.au 2002-08-23 12:24 -------
Here's the reason from the log:
"Login restricted for root: 3004-306 Remote logins are not allowed for this
account."
What version are you upgrading from? All versions I checked back to 2.1.1p4
contained the following test in auth.c:
if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
[snip]
log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
}
To me it seems to be working like it should: if you disable remote logins you
can't log in remotely.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Aug-23 02:49 UTC
[Bug 383] PublicKeyAuthentication failure when rlogin set to false
http://bugzilla.mindrot.org/show_bug.cgi?id=383 ------- Additional Comments From dtucker at zip.com.au 2002-08-23 12:49 ------- Ah, I think I know why you're seeing it now. Were your previous binaries compiled on AIX 4.2 perchance? The loginrestrictions() test is wrapped inside "#ifdef WITH_AIXAUTHENTICATE". Configure defines that if it can find the function "authenticate". On 4.2, authenticate it in libs.a. On 4.3, it's in libc.a. Configure didn't check in libs.a. The upshot is if you compile 3.4p1 or below on AIX 4.2, WITH_AIXAUTHENTICATE doesn't get defined and the loginrestrictions() test doesn't get compiled in. In -cvs, configure has been fixed to look in libs.a if necessary, so behaviour will be consistent between AIX versions. The quick way to get the behaviour you want is to set "#define WITH_AIXAUTHENTICATE 0" in config.h after running configure, then recompile. This is probably not a long-term solution as it also disables other things (eg lockout on bad logins and logging of succcesful logins). You may need to rethink your strategy. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Aug-23 07:22 UTC
[Bug 383] PublicKeyAuthentication failure when rlogin set to false
http://bugzilla.mindrot.org/show_bug.cgi?id=383 ------- Additional Comments From jim.a.davidson at bt.com 2002-08-23 17:22 ------- We do not use password authentication for this account. On HP,OSF/1 and Solaris machines,if root account is set to only login on the console,then we authenticate in the normal way (using PublicKeyAuthentication) and can then issue ssh <command> or scp using root account on that machine. It is only with AIX that we see this being rejected. Is there a particular reason why AIX is unique in this behaviour ? Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Aug-23 08:09 UTC
[Bug 383] PublicKeyAuthentication failure when rlogin set to false
http://bugzilla.mindrot.org/show_bug.cgi?id=383
------- Additional Comments From j.petersen at msh.de 2002-08-23 18:09 -------
This ist my Workaround:
--- auth.c.orig Wed Oct 3 19:55:27 2001
+++ auth.c Mon Nov 12 10:43:49 2001
@@ -158,7 +158,7 @@
}
#ifdef WITH_AIXAUTHENTICATE
- if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) !=
0) {
+ if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,
S_RLOGIN, NULL,
&loginmsg) != 0)) {
if (loginmsg && *loginmsg) {
/* Remove embedded newlines (if any) */
char *p;
Not accepted by OpenSSH-developers, but what most AIX-Admins seem to need:
Close out root by all AIX-means, but let him in by ssh-only...
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Aug-24 04:13 UTC
[Bug 383] PublicKeyAuthentication failure when rlogin set to false
http://bugzilla.mindrot.org/show_bug.cgi?id=383 ------- Additional Comments From dtucker at zip.com.au 2002-08-24 14:13 ------- The more I think about it, the more I like J?rg's uid != 0 patch. Other platforms implement their own login controls for root (eg /etc/securetty or /etc/default/login) and sshd ignores them in favour of its own mechanism (PermitRootLogin). I'm in favour of the patch. If required, you can still disable root logins via ssh by setting "PermitRootLogin no". What's the argument against it? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.