[Bug 1284] allow sftp when rlogin=false
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Mar 2 07:17:26 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=1284
Michael Felt <aixtools at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |aixtools at gmail.com
--- Comment #1 from Michael Felt <aixtools at gmail.com> ---
Just thought it could be useful to review the current situation.
re: (openssh-aix's patch is actually buggy as described at: "Bypasses
rlogin=false" at
http://sourceforge.net/tracker/index.php?func=detail&aid=1346058&group_id=127997&atid=710254)
This is not an openssh (aix patch bug) - it works as designed.
a) by default, for all users other than root "rlogin=false" blocks a
user from logging in using openssh.
b) by design, the default behavior for root is to look at the
combination of
PermitRootLogin (default yes)
and
UseLogin (default no)
* When both are at default, root login is permitted.
* When rlogin=false (for root) and UseLogin=true - login is not
permitted
* When PermitRootLogin=no - login by root is not permitted
So, perhaps a documentation update in the AIX section, if it exists,
reminding/pointing at UseLogin is an improvement.
re: "sftp login allowed when rlogin=false" at
http://sourceforge.net/tracker/index.php?func=detail&aid=1552074&group_id=127997&atid=710254
This could still be considered a bug. If you follow the link - a
successful connection via sftp is permitted IF an active ftp connection
would also be successful. On AIX, ftp does not look at
/etc/security/users rlogin setting - instead it is looking at
/etc/ftpusers.
Currently on AIX, when /etc/ftpusers contains "root", root is not
permitted to connect. Not even the password is requested. Denial is
immediate.
Using sftp -
* when PermitRootLogin=no - connection is denied - per design
* when PermitRootLogin=yes, regardless of UseLogin setting and
/etc/ftpusers content - root access is permitted.
The "bug" is that sftp is not (also) examining /etc/ftpusers - to mimic
ftp behavior - which seems to be the expectation of the aix-patch
discussion from the link above.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list