[openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd)
David Bronder
david-bronder at uiowa.edu
Fri Apr 27 09:42:31 EST 2001
I haven't tried the patch (still fighting another possibly-AIX problem
that I haven't seen other reports of yet). But I'd recommend against
this patch, at least as a default.
What he is proposing is for OpenSSH to disregard a system-wide policy
decision -- that root should not be permitted to directly log in from
the network. There are more reasons to disable remote logins as root
(vs. normal login then su) than just to prevent plaintext use of the
root password; for example, audit trails for a group of admins or site
security policies. This patch would violate the expected behavior of
the system.
A good compromise would probably be to make it a configure-time feature
that also required a run-time config option to enable it (defaulting to
the current and expected behavior). That way, it's only active if the
admin consciously chooses it.
=Dave
mouring at etoh.eviladmin.org wrote:
>
>
> Has anyone else running AIX tried this patch? I'm looking for feedback
> if it should be applied before we release 2.9p1.
>
> - Ben
>
> ---------- Forwarded message ----------
> Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT)
> From: mikem at alaska.net
> To: openssh-unix-dev at mindrot.org
> Subject: Functionality bug (possibly) in openssh on AIX 4.3
>
>
> Hi Folks,
>
> While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've
> found that ssh will not accept root (based on ssh key credentials) logins
> at all if the AIX security features have been set to disallow remote root
> logins. If I disable the AIX security feature (enable remote root
> logins), I can then do bad things like rsh, telnet, etc. into the box as
> root.
>
> [...]
>
--
Hello World. David Bronder - Systems Admin
Segmentation Fault ITS-SPA, Univ. of Iowa
Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu
More information about the openssh-unix-dev
mailing list