[openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd)
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Fri Apr 27 09:40:31 EST 2001
Which is why I'm not really too eager to apply. Ignoring system policies
is not really the best thing.
- Ben
On Thu, 26 Apr 2001, David Bronder wrote:
> I haven't tried the patch (still fighting another possibly-AIX problem
> that I haven't seen other reports of yet). But I'd recommend against
> this patch, at least as a default.
>
> What he is proposing is for OpenSSH to disregard a system-wide policy
> decision -- that root should not be permitted to directly log in from
> the network. There are more reasons to disable remote logins as root
> (vs. normal login then su) than just to prevent plaintext use of the
> root password; for example, audit trails for a group of admins or site
> security policies. This patch would violate the expected behavior of
> the system.
>
> A good compromise would probably be to make it a configure-time feature
> that also required a run-time config option to enable it (defaulting to
> the current and expected behavior). That way, it's only active if the
> admin consciously chooses it.
>
> =Dave
>
> mouring at etoh.eviladmin.org wrote:
> >
> >
> > Has anyone else running AIX tried this patch? I'm looking for feedback
> > if it should be applied before we release 2.9p1.
> >
> > - Ben
> >
> > ---------- Forwarded message ----------
> > Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT)
> > From: mikem at alaska.net
> > To: openssh-unix-dev at mindrot.org
> > Subject: Functionality bug (possibly) in openssh on AIX 4.3
> >
> >
> > Hi Folks,
> >
> > While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've
> > found that ssh will not accept root (based on ssh key credentials) logins
> > at all if the AIX security features have been set to disallow remote root
> > logins. If I disable the AIX security feature (enable remote root
> > logins), I can then do bad things like rsh, telnet, etc. into the box as
> > root.
> >
> > [...]
> >
>
>
> --
> Hello World. David Bronder - Systems Admin
> Segmentation Fault ITS-SPA, Univ. of Iowa
> Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu
>
More information about the openssh-unix-dev
mailing list