ssh - NO SALE or NO GIVE ?

mark.pitt at ch.ibm.com mark.pitt at ch.ibm.com
Sun May 20 18:48:20 EST 2001




Thanks to everyone who has replied to my emails so far - to summarise:

AIX allows setting of rlogin=false and and a su group, or a list of users
that are permitted to "su" to root. ( or other functional ids )
This means with entries in /etc/ftpusers, it is possible to :

1/ Track who used root via sulog and or external logging
2/ Protect root even if the root password is compromised
3/ Limit to a list of users who can access root

To acheive the functional equivalent of this in ssh we require:

rlogin still false to stop telnet connections, but ssh still allowing
connections
A set of allowed_keys that effectively would be an su group
A tracking by ssh of which key allowed access at connection time ( ie an
sulog equivelent ) ie:

"ssh: root access granted via key joeblow at jupiter at 12:34"

It is then possible for me to demonstrate to management  that we do not
require every admin  to have an account on every system ( every one
represents a security problem ) but all we require ist ssh with a set of
keys - we can then also centralise key managent for administrators, also
that ssh respects security guidelines.

IF I cannot solve this problem, then ssh is NOT PERMITTED on IBM systems
and IBM Customers which IBM supports via service contracts - this would be
a  pity.

rlogin=false is used by AIX systems to block only interactive sessions, ie
rlogin and telnetd, but allows rsh and rcp as they are not interactive.
Obvisously this makes NO sense at all, and anyway you can always use X or
such to generate an interactive session, but that is the way AIX works,
rightly or wrongly.

Is there ANY way AROUND this ?

SFTP

Really needs to have a /etc/ftpusers file to provide a simple blocking
mechnism for ftp.

BUGS

If rlogin=false then ssh still prompts for password, although it already
knows access will be denied.





More information about the openssh-unix-dev mailing list