Menu

#1 root login not possible with rlogin=false

closed-accepted
nobody
None
5
2005-03-11
2005-03-08
Anonymous
No

After upgrading to openssh 3.8.0.5202 (OpenSSH_3.8.1p1),
we are no longer able to do direct root logins via ssh.
We use "PermitRootLogin without-password" in sshd_config
and rlogin=false in /etc/security/user .

With previous versions of SSH on AIX, we successfully used
this configuration to ensure that root logins via
telnet are
disabled, but administration of our server farm is
still possible
by distributing remote root commands with ssh.

I am not an experienced C coder, but according to my
understanding, your patch seems to change auth.c to
read like
#ifdef WITH_AIXAUTHENTICATE
/*
* Don't check loginrestrictions() for root
account (use
* PermitRootLogin to control logins via ssh),
or if running as
* non-root user (since loginrestrictions will
always fail).Cache
* the "rlogin" value to be used in session.c
to allow sftp when
* rlogin = false
*/
if (geteuid() == 0) {

Before applying your patch, this code read like
#ifdef WITH_AIXAUTHENTICATE
/*
* Don't check loginrestrictions() for root account (use
* PermitRootLogin to control logins via ssh), or if
running as
* non-root user (since loginrestrictions will always
fail).
*/
if ((pw->pw_uid != 0) && (geteuid() == 0)) {

This makes the PermitRootLogin parameter practically
useless in our environment. Could you please fix this,
so that
we can keep the feature of direct root logins with
rlogin=false?

Thanks in advance,
Michael Bausch
mbausch at de dot ibm dot com

Discussion

  • ssh

    ssh - 2005-03-09

    Logged In: YES
    user_id=1169276

    Well, the main objective of this new feature was to make
    "sftp" work like 'ftp" and "ssh" work like 'telnet". On AIX,
    the login process states that, the user is not allowed to
    login when the "rlogin" flag is set to false in
    "/etc/security/user". We need to adhere to the AIX login
    process and hence we made this change.

    Hope this helps.

     

  • ssh

    ssh - 2005-03-10

    Logged In: YES
    user_id=1169276

    I have created the patch for AIX 5.1, 5.2 and 5.3 for those
    who would require "PermitRootLogin" to override "rlogin"
    flag. You need to download the sshd.gz file and run "gunzip"
    to extract the sshd binary. Pls modify the permissions.

     

  • Nobody/Anonymous

    Nobody/Anonymous - 2005-03-11

    Logged In: NO

    We successfully testet this patch on AIX 5.1, 5.2 and 5.3.
    Thank you very much. This makes our daily work easier :-)

    Michael Bausch

     

  • ssh

    ssh - 2005-03-11
    • status: open --> closed-accepted
     

Log in to post a comment.