AIX SSH 2.x ssh and /etc/ftpusers rcp rlogin WRONG !

douglas.manton at uk.ibm.com douglas.manton at uk.ibm.com
Thu May 17 19:43:59 EST 2001




> I think ssh should be consistant here - either "permit remote access to
> AIX box", or "not at all".

The rlogin attribute effectively relates to pty allocation permission.
Perhaps the OpenSSH implementation should be changed so that "no-pty" is
set if rlogin=false?  This would then match AIX's configuration (right or
wrong, but consistent!).  If I want to disallow access completely then I
simply lock the account.

The login flow would include (excuse psuedo-code):

    if rlogin = false {
        set no-pty
        force subsystem sftp-server
    }

Is it worth adding the /etc/ftpusers test to the sftp-server for all
systems?  If we want sftp to replace ftp then this would make sense.  If
the file does not exist then no harm is done since the default is to grant
access.

It is nice to allow sftp access to users that are not allowed to log in. I
achieve this today using a forced command in the user's authorized_keys
files and leave rlogin=true.  This has potential for abuse since the
lock-down is not done at an administrative level and is quite difficult to
audit.

Best wishes,
--------------------------------------------------------
  Doug Manton, AT&T EMEA Commercial Security Solutions

               E:  demanton at att.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"





More information about the openssh-unix-dev mailing list