[Bug 1284] allow sftp when rlogin=false
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Feb 14 00:55:21 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1284
Summary: allow sftp when rlogin=false
Product: Portable OpenSSH
Version: v4.5p1
Platform: Other
OS/Version: AIX
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: dleonard at vintela.com
I was looking at the "OpenSSH on AIX" project patches on sourceforge,
and was interested to see this issue:
On AIX, you can set 'rlogin=false' on particular users and deny them
remote shell access. OpenSSH supports that. However, sftp is still a
desirable service to access, and is not considered a remote shell.
Currently, openssh denies any user with rlogin=false set. The
abbreviated patch below shows how the check was changed in the
openssh-aix project to support session and not subsystem denial. (not
shown is the global int rlogin):
--- openssh-4.3p2/openbsd-compat/port-aix.c Sat May 28 19:54:28
2005
+++ 52/openbsd-compat/port-aix.c Sun May 14 05:19:43 2006
@@ -231,231 +231,234 @@
debug3("%s: not checking", __func__);
return 1;
}
+ if (getuserattr(pw->pw_name, S_RLOGINCHK, &rlogin, SEC_BOOL) ==
-1)
+ rlogin=1;
- result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
+ result = loginrestrictions(pw->pw_name, 0, NULL, &msg);
if (result == 0)
permitted = 1;
/*
--- openssh-4.3p2/session.c Tue Feb 7 17:18:55 2006
+++ 52/session.c Sun May 14 05:19:16 2006
@@ -660,532 +666,672 @@
debug("Forced command '%.900s'", command);
}
+ /* if remote login is set to false in "/etc/security/user",
+ you should still be able to "sftp" but not "ssh" */
+ if (!rlogin) {
+ if (!s->is_subsystem)
+ packet_disconnect("Remote login for account
%.100s is
not allowed.", s->pw->pw_name);
+ }
+
#ifdef SSH_AUDIT_EVENTS
if (command != NULL)
PRIVSEP(audit_run_command(command));
(Source:
http://sourceforge.net/project/showfiles.php?group_id=127997&package_id=144624&release_id=482265
)
I know that the above is an ugly solution and doesn't consider other
subsystem types (that may be session-like), but thought it would be
worth adding into bugzilla ... maybe someone can see a clean way of
supporting this.
(openssh-aix's patch is actually buggy as described at: "Bypasses
rlogin=false" at
http://sourceforge.net/tracker/index.php?func=detail&aid=1346058&group_id=127997&atid=710254
and "sftp login allowed when rlogin=false" at
http://sourceforge.net/tracker/index.php?func=detail&aid=1552074&group_id=127997&atid=710254
)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list