[Bug 1284] allow sftp when rlogin=false

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Mar 2 07:17:26 AEDT 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=1284

Michael Felt <aixtools at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aixtools at gmail.com

--- Comment #1 from Michael Felt <aixtools at gmail.com> ---
Just thought it could be useful to review the current situation.

re: (openssh-aix's patch is actually buggy as described at: "Bypasses
rlogin=false" at
http://sourceforge.net/tracker/index.php?func=detail&aid=1346058&group_id=127997&atid=710254)

This is not an openssh (aix patch bug) - it works as designed.
a) by default, for all users other than root "rlogin=false" blocks a
user from logging in using openssh.
b) by design, the default behavior for root is to look at the
combination of
PermitRootLogin (default yes)
and
UseLogin (default no)

* When both are at default, root login is permitted.
* When rlogin=false (for root) and UseLogin=true - login is not
permitted
* When PermitRootLogin=no - login by root is not permitted

So, perhaps a documentation update in the AIX section, if it exists,
reminding/pointing at UseLogin is an improvement.

re: "sftp login allowed when rlogin=false" at
http://sourceforge.net/tracker/index.php?func=detail&aid=1552074&group_id=127997&atid=710254

This could still be considered a bug. If you follow the link - a
successful connection via sftp is permitted IF an active ftp connection
would also be successful. On AIX, ftp does not look at
/etc/security/users rlogin setting - instead it is looking at
/etc/ftpusers.

Currently on AIX, when /etc/ftpusers contains "root", root is not
permitted to connect. Not even the password is requested. Denial is
immediate.

Using sftp - 
* when PermitRootLogin=no - connection is denied - per design
* when PermitRootLogin=yes, regardless of UseLogin setting and
/etc/ftpusers content - root access is permitted.

The "bug" is that sftp is not (also) examining /etc/ftpusers - to mimic
ftp behavior - which seems to be the expectation of the aix-patch
discussion from the link above.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list