I am in the process of introducing OpenSSH into our corporate environment. This environment includes Solaris / HP-UX / AIX and Linux We have had audit tell us we need to disable root logins through telnet... we can do this through the use of OpenSSH on all platforms except AIX apparently bug # 383 was supposed to take care of this and I have downloaded -current snapshot and tested but remote root logins through SSH still does not work. I have also tested the Commercial version of SSH and it works on there, so what are you guys doing different in your authenticate code?? Thanks Donnie Cranford Sr Unix Systems Admin ING Americas
On Sat, Oct 12, 2002 at 05:40:23PM -0500, Donnie Cranford wrote:> and tested but remote root logins through SSH still does not work. > > I have also tested the Commercial version of SSH and it works on there, > so what are you guys doing different in your authenticate code??grep -i permitrootlogin /etc/ssh/sshd_config /fc
Sorry, ignore my previous comment ... after looking at the bug it's obviously more complex.
On Sun, 2002-10-13 at 00:40, Donnie Cranford wrote:> I am in the process of introducing OpenSSH into our corporate environment. > This environment includes Solaris / HP-UX / AIX and Linux > > We have had audit tell us we need to disable root logins through telnet... > we can do this through the use of OpenSSH on all platforms except AIX > apparently bug # 383 was supposed to take care of this and I have > downloaded -current snapshot > and tested but remote root logins through SSH still does not work.I running it at a multinational I work for, on AIX and HP, with Allow-root logins on 'without-password' (keyfiles only). It works perfectly... but you need to configure SSH without USE_AIX_AUTHENTICATION. otherwise it won't work... If needed, contact me on monday and I'll provide you with my install instructions and packages if you want.. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl
yep, just noticed this and sure enough you are right I implemented the patch and sure enough I am able to ssh in as root with remote login as root disabled...I am happy / Audit is happy/ and my company will be happy that we saved 125,000 + in license fees I think this code needs to put into the default codebase, AIX admins like myself would die for this code Thanks Donnie Cranford Sr Unix Systems Admin ING Americas Darren Tucker wrote:>Donnie Cranford wrote: > > >>Isnt this patch included in the current 3.5p1 cvs?? >> >> > >No, as far as I know the patch is in bugzilla only. > >The patch has: > if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,... > >CVS has: > if (loginrestrictions(pw->pw_name,... > > >
With all this talk about how BADLY this is needed, is there a reason this didnt go into OpenSSH 3.5? If its possible...since we are about to roll this out could we get something that includes this patch? Maybe a early release of 3.6 or a 3.5.1 to include the AIX root login support?? Please...Pretty Please Thanks Donnie Cranford Sr. Unix Systems Admin ING Americas Darren Tucker wrote:>Donnie Cranford wrote: > > >>Isnt this patch included in the current 3.5p1 cvs?? >> >> > >No, as far as I know the patch is in bugzilla only. > >The patch has: > if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,... > >CVS has: > if (loginrestrictions(pw->pw_name,... > > >
>Commited, Thanks. > >As for the question about a new release. No. But I did commit it to the >V4_5_0 branch along with the --head. > >- BenOk, so its not in 3.5p1 but what is the V4_5_0 branch and is there a branch that I can pull from that will include this patch and be deployable to all systems until it is released in 3.6??? Thanks Donnie Cranford Sr Unix Systems Admin ING Americas Darren Tucker wrote:>Donnie Cranford wrote: > > >>Isnt this patch included in the current 3.5p1 cvs?? >> >> > >No, as far as I know the patch is in bugzilla only. > >The patch has: > if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name,... > >CVS has: > if (loginrestrictions(pw->pw_name,... > > >
On Tue, 15 Oct 2002, Donnie Cranford wrote:> >Commited, Thanks. > > > >As for the question about a new release. No. But I did commit it to the > >V4_5_0 branch along with the --head. > > > >- Ben > > > Ok, so its not in 3.5p1 but what is the V4_5_0 branch and is there a > branch that I can pull from that will include this patch and be > deployable to all systems until it is released in 3.6??? >Mean V_3_5 and it is also in --head. Which means it will end up in 3.6 and if we do a 3.5p2 release it will end up in that release. - Ben
Donnie Cranford wrote:> With all this talk about how BADLY this is needed, is there a reason > this didnt go into OpenSSH 3.5?I think 3.5p1 had already been tagged before we started discussing the patch.> If its possible...since we are about to > roll this out could we get something that includes this patch? Maybe a > early release of 3.6 or a 3.5.1 to include the AIX root login support??If this is such a big deal for you, why not apply the patch to 3.5p1 before rolling it out? Ben has already indicated that future versions will include it. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Ok, im now pulling the V3_5_0 branch via CVS but now that I have it down I need further intructions...do I need to install autoconf? Thanks Donnie> Donnie Cranford wrote: > > With all this talk about how BADLY this is needed, is there a reason > > this didnt go into OpenSSH 3.5? > > I think 3.5p1 had already been tagged before we started discussing the > patch. > > > If its possible...since we are about to > > roll this out could we get something that includes this patch? Maybe a > > early release of 3.6 or a 3.5.1 to include the AIX root login support?? > > If this is such a big deal for you, why not apply the patch to 3.5p1 > before rolling it out? Ben has already indicated that future versions > will include it. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement.