After upgrading to openssh 3.8.0.5202 (OpenSSH_3.8.1p1),
we are no longer able to do direct root logins via ssh.
We use "PermitRootLogin without-password" in sshd_config
and rlogin=false in /etc/security/user .
With previous versions of SSH on AIX, we successfully used
this configuration to ensure that root logins via
telnet are
disabled, but administration of our server farm is
still possible
by distributing remote root commands with ssh.
I am not an experienced C coder, but according to my
understanding, your patch seems to change auth.c to
read like
#ifdef WITH_AIXAUTHENTICATE
/*
* Don't check loginrestrictions() for root
account (use
* PermitRootLogin to control logins via ssh),
or if running as
* non-root user (since loginrestrictions will
always fail).Cache
* the "rlogin" value to be used in session.c
to allow sftp when
* rlogin = false
*/
if (geteuid() == 0) {
Before applying your patch, this code read like
#ifdef WITH_AIXAUTHENTICATE
/*
* Don't check loginrestrictions() for root account (use
* PermitRootLogin to control logins via ssh), or if
running as
* non-root user (since loginrestrictions will always
fail).
*/
if ((pw->pw_uid != 0) && (geteuid() == 0)) {
This makes the PermitRootLogin parameter practically
useless in our environment. Could you please fix this,
so that
we can keep the feature of direct root logins with
rlogin=false?
Thanks in advance,
Michael Bausch
mbausch at de dot ibm dot com
Logged In: YES
user_id=1169276
Well, the main objective of this new feature was to make
"sftp" work like 'ftp" and "ssh" work like 'telnet". On AIX,
the login process states that, the user is not allowed to
login when the "rlogin" flag is set to false in
"/etc/security/user". We need to adhere to the AIX login
process and hence we made this change.
Hope this helps.
Logged In: YES
user_id=1169276
I have created the patch for AIX 5.1, 5.2 and 5.3 for those
who would require "PermitRootLogin" to override "rlogin"
flag. You need to download the sshd.gz file and run "gunzip"
to extract the sshd binary. Pls modify the permissions.
Logged In: NO
We successfully testet this patch on AIX 5.1, 5.2 and 5.3.
Thank you very much. This makes our daily work easier :-)
Michael Bausch