[Bug 1284] allow sftp when rlogin=false

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Feb 14 00:55:21 EST 2007 

http://bugzilla.mindrot.org/show_bug.cgi?id=1284

           Summary: allow sftp when rlogin=false
           Product: Portable OpenSSH
           Version: v4.5p1
          Platform: Other
        OS/Version: AIX
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: dleonard at vintela.com


I was looking at the "OpenSSH on AIX" project patches on sourceforge,
and was interested to see this issue:

On AIX, you can set 'rlogin=false' on particular users and deny them
remote shell access. OpenSSH supports that. However, sftp is still a
desirable service to access, and is not considered a remote shell.
Currently, openssh denies any user with rlogin=false set. The
abbreviated patch below shows how the check was changed in the
openssh-aix project to support session and not subsystem denial. (not
shown is the global int rlogin):

--- openssh-4.3p2/openbsd-compat/port-aix.c     Sat May 28 19:54:28
2005
+++ 52/openbsd-compat/port-aix.c        Sun May 14 05:19:43 2006
@@ -231,231 +231,234 @@
                debug3("%s: not checking", __func__);
                return 1;
        }
+       if (getuserattr(pw->pw_name, S_RLOGINCHK, &rlogin, SEC_BOOL) ==
-1)
+               rlogin=1;

-       result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
+       result = loginrestrictions(pw->pw_name, 0, NULL, &msg);
        if (result == 0)
                permitted = 1;
        /*
--- openssh-4.3p2/session.c     Tue Feb  7 17:18:55 2006
+++ 52/session.c        Sun May 14 05:19:16 2006
@@ -660,532 +666,672 @@
                debug("Forced command '%.900s'", command);
        }

+       /* if remote login is set to false in "/etc/security/user",
+       you should still be able to "sftp" but not "ssh" */
+         if (!rlogin) {
+                 if (!s->is_subsystem)
+                         packet_disconnect("Remote login for account
%.100s is
not allowed.", s->pw->pw_name);
+         }
+
  #ifdef SSH_AUDIT_EVENTS
        if (command != NULL)
                PRIVSEP(audit_run_command(command));

(Source:
http://sourceforge.net/project/showfiles.php?group_id=127997&package_id=144624&release_id=482265
)

I know that the above is an ugly solution and doesn't consider other
subsystem types (that may be session-like), but thought it would be
worth adding into bugzilla ... maybe someone can see a clean way of
supporting this.

(openssh-aix's patch is actually buggy as described at: "Bypasses
rlogin=false" at
http://sourceforge.net/tracker/index.php?func=detail&aid=1346058&group_id=127997&atid=710254
and "sftp login allowed when rlogin=false" at
http://sourceforge.net/tracker/index.php?func=detail&aid=1552074&group_id=127997&atid=710254
)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list