ssh - NO SALE or NO GIVE ?

Pekka Savola pekkas at netcore.fi
Sun May 20 19:18:58 EST 2001 

On Sun, 20 May 2001 mark.pitt at ch.ibm.com wrote:
[snip]
> "ssh: root access granted via key joeblow at jupiter at 12:34"
>
> It is then possible for me to demonstrate to management  that we do not
> require every admin  to have an account on every system ( every one
> represents a security problem ) but all we require ist ssh with a set of
> keys - we can then also centralise key managent for administrators, also
> that ssh respects security guidelines.
>
> IF I cannot solve this problem, then ssh is NOT PERMITTED on IBM systems
> and IBM Customers which IBM supports via service contracts - this would be
> a  pity.
>
> rlogin=false is used by AIX systems to block only interactive sessions, ie
> rlogin and telnetd, but allows rsh and rcp as they are not interactive.
> Obvisously this makes NO sense at all, and anyway you can always use X or
> such to generate an interactive session, but that is the way AIX works,
> rightly or wrongly.
>
> Is there ANY way AROUND this ?

Is PermitRootLogin=without-password not enough?

Admittably that might still be holey if shosts.equiv, .shosts etc. logins
are still allowed with SSHv1; before OpenSSH 2.9 when HostBased auth for
v2 wasn't there yet, this was the case in general.

Is there too big a difference to enhancing PermitRootLogin so that
features in 'without-passwords' and 'forced-commands-only' would be mixed
(ie: 'publickey-only').

> SFTP
>
> Really needs to have a /etc/ftpusers file to provide a simple blocking
> mechnism for ftp.

Note that standard BSD ftpd also checks for /etc/ftpusers.  Some might
want to separate sftp and ftpd.

> BUGS
>
> If rlogin=false then ssh still prompts for password, although it already
> knows access will be denied.

This is a feature, IMO.  Else you could go scanning hosts with 'ssh
root at somewhere' to check which ones have rlogin=false set.

The authentication must look transparent until the user has been
authenticated.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

More information about the openssh-unix-dev mailing list