Security - ssh allows unintended access on AIX
Mark Pitt
mark.pitt at ch.ibm.com
Tue Nov 6 01:12:10 EST 2001
Under AIX there are three security settings:
expires = a fixed date at which an account is no longer valid
maxage= weeks before a password expires
maxexpires=max weeks during which a password can be changed by a user after
expiration AFTER WHICH ACCESS IS NOT ALLOWED
Beauty of maxage with expires is, that no manual intervention is required
to block inactive users.
With maxage=5 and expires=1 an inactive user will be locked out after 6
weeks, even if he knows the password, also you can avoid "smoking joes" or
inactive accounts.
loginrestrictions in auth.c checks everything EXCEPT this.
Security problem is, this allows access when access should be denied.
Default for expires is -1, which means a password will expire as in maxage,
but the user can change his password at anytime, however once set, access
should be denied.
Being a simple soul, I have added a routine passwdexpires ( AIX Lib )
directly after loginrestrictions with the same code. I think this should
be urgently added to the code - hope this helps.
auth.c
/* mpi change expiresmsg */
#ifdef WITH_AIXAUTHENTICATE
char *loginmsg;
char *expiresmsg;
int passexpcode;
#endif /* WITH_AIXAUTHENTICATE */
#ifdef WITH_AIXAUTHENTICATE
auth.c
/* mpi change passwdexpires hinein */
if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) !=
0) {
if (loginmsg && *loginmsg) {
char *p;
for (p = loginmsg; *p; p++) {
if (*p == '\n')
*p = ' ';
}
*--p = '\0';
log("Login restricted for %s: %.100s", pw->pw_name,
loginmsg);
}
return 0;
}
passexpcode=passwdexpired(pw->pw_name, &expiresmsg);
if ( passexpcode > 0 ) {
if (expiresmsg && *expiresmsg) {
char *e;
for (e = expiresmsg; *e; e++) {
if (*e == '\n')
*e = ' ';
}
*--e = '\0';
if ( passexpcode == 1 ) {
log("Password expired %s: %.100s", pw->pw_name,
expiresmsg);
}
else {
log("Password expired too long or system failure
%s: %.100s", pw->pw_name, expir
esmsg);
return 0;
}
}
}
#endif /* WITH_AIXAUTHENTICATE */
* expires Defines the expiration time for the user account.
* Possible values: a valid date in the form MMDDHHMMYY or 0.
* If 0 the account does not expire. If 0101000070 the
account
* is disabled. The range for YY is:
* 00 - 38 years 2000 thru 2038
* 39 - 99 years 1939 thru 1999
* histexpire Defines the period of time in weeks that a user
* will not be able to reuse a password.
* Possible values: an integer value between 0 and 260.
* 26 (approximately 6 months) is the recommended value.
*
* maxexpired Defines the maximum number of weeks after maxage that an
expired
* password can be changed by a user. The default is -1,
which
* is equivalent to unlimited. Range: -1 to 52. maxage must
* be greater than 0 for maxexpired to be enforced. (root is
* exempt from maxexpired.)
*
-------------------------------------------------------------------------------
Base Operating System and Extensions Technical Reference, Volume 1
-------------------------------------------------------------------------------
passwdexpired Subroutine
Purpose
Checks the user's password to determine if it has expired.
Syntax
passwdexpired (UserName, Message)
char *UserName;
char **Message;
Description
The passwdexpired subroutine checks a user's password to determine if it
has
:
The passwdexpired subroutine checks a user's password to determine if it
has
expired. The subroutine checks the registry variable in the
/etc/security/user
file to ascertain where the user is administered. If the registry variable
is
not defined, the passwdexpired subroutine checks the local, NIS, and DCE
databases for the user definition and expiration time.
The passwdexpired subroutine may pass back informational messages, such as
how
many days remain until password expiration.
Parameters
UserName Specifies the user's name whose password is to be checked.
Message Points to a pointer that the passwdexpired subroutine allocates
memory
for and fills in. This string is suitable for printing and issues messages,
suchas in how many days the password will expire.
Return Values
Upon successful completion, the passwdexpired subroutine returns a value of
0.
If this subroutine fails, it returns one of the following values:
1 Indicates that the password is expired, and the user must change it.
:
2 Indicates that the password is expired, and only a system administrator
may
change it.
-1 Indicates that an internal error has occurred, such as a memory
allocation
(malloc) failure or database corruption.
Error Codes
The passwdexpired subroutine fails if one or more of the following values
is
true:
ENOENT Indicates that the user could not be found.
EPERM Indicates that the user did not have permission to check password
expiration.
ENOMEM Indicates that memory allocation (malloc) failed.
EINVAL Indicates that the parameters are not valid.
Implementation Specifics
ENOENT Indicates that the user could not be found.
EPERM Indicates that the user did not have permission to check password
expiration.
ENOMEM Indicates that memory allocation (malloc) failed.
EINVAL Indicates that the parameters are not valid.
Implementation Specifics
This subroutine is part of Base Operating System (BOS) Runtime.
Related Information
The authenticate subroutine.
The login command.
-------------------------------------------------------------------------------
Mark Pitt
SP Administrator
IBM, Campus Winterthur
058-333-1542
More information about the openssh-unix-dev
mailing list