AIX SSH 2.x ssh and /etc/ftpusers NOT IBM Standard - SECURITY
mark.pitt at ch.ibm.com
mark.pitt at ch.ibm.com
Thu May 17 02:04:09 EST 2001
During testing of ssh 2.5 from www.bull.de I have noticed a couple of
things that are causing us problems.
Rlogin=false
We are required by security agreements to keep direct login for root locked
( chuser rlogin=false root ), which applies to rlogin
and telnet commands only according to IBM documentation - ie not rsh or
ftp.
AIX rlogin=false means no access via telnet or rlogin, but rsh and ftp ARE
allowed - however ssh does not work if rlogin=false
- not only this, but having reported an illegal user as rlogin is locked,
it then prompts for a password and fails even if the
password is correct - if it already knows this, why does it prompt ? I
would like to use ssh as rsh, but keep rlogin and telnet
locked.
Also, changing chuser rlogin=true while the server is running doesnt work,
what is worse, the other way round does not work,
this giving unintended access to the system to someone that has been
blocked. ie start sshd with rlogin=true and access is
permitted, set rlogin=false, then it is STILL permitted by ssh - ouch.
SFTP
To make any security sense of rlogin=false, it is absolutely essential to
have /etc/ftpusers for root for reasons that are clear to
the initiated, however sftp-daemon does NOT respect this, and provides no
facility to do so - ouch. It also respects
rlogin=false ( I suppose as it goes through ssh ) but this is NOT what IBM
intended, and NOT standard.
LOGGING
1/ Use ssh as rsh with each Sys Adm having his ( no her but I digress ) key
in authorized_keys2 - then we have tracking for
root user, ie who had used it, with which key, without having to create
users on every single machine for every single admin.
Although this might be defeatible, it does aid in problem solving to know
who used root last, as the rlogin=false was intended -
possibly logging to external servers etc.
Other than a debug message to say ssh found a key on a particular line in
the file, this is not easy to come by.
Anyway, thanks for your help, I have only just started with this, so I hope
the questions are not too stooopid.
Mark
More information about the openssh-unix-dev
mailing list