Security - ssh allows unintended access on AIX
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Tue Nov 6 03:00:58 EST 2001
If you wish us to consider a patch.. PLEASE provide it in unified diff
format.
- Ben
On Mon, 5 Nov 2001, Mark Pitt wrote:
>
> Under AIX there are three security settings:
>
> expires = a fixed date at which an account is no longer valid
> maxage= weeks before a password expires
> maxexpires=max weeks during which a password can be changed by a user after
> expiration AFTER WHICH ACCESS IS NOT ALLOWED
>
> Beauty of maxage with expires is, that no manual intervention is required
> to block inactive users.
> With maxage=5 and expires=1 an inactive user will be locked out after 6
> weeks, even if he knows the password, also you can avoid "smoking joes" or
> inactive accounts.
>
> loginrestrictions in auth.c checks everything EXCEPT this.
>
> Security problem is, this allows access when access should be denied.
> Default for expires is -1, which means a password will expire as in maxage,
> but the user can change his password at anytime, however once set, access
> should be denied.
>
> Being a simple soul, I have added a routine passwdexpires ( AIX Lib )
> directly after loginrestrictions with the same code. I think this should
> be urgently added to the code - hope this helps.
>
> auth.c
>
> /* mpi change expiresmsg */
> #ifdef WITH_AIXAUTHENTICATE
> char *loginmsg;
> char *expiresmsg;
> int passexpcode;
> #endif /* WITH_AIXAUTHENTICATE */
>
>
> #ifdef WITH_AIXAUTHENTICATE
>
> auth.c
>
> /* mpi change passwdexpires hinein */
>
> if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) !=
> 0) {
>
> if (loginmsg && *loginmsg) {
> char *p;
> for (p = loginmsg; *p; p++) {
> if (*p == '\n')
> *p = ' ';
> }
> *--p = '\0';
> log("Login restricted for %s: %.100s", pw->pw_name,
> loginmsg);
> }
> return 0;
> }
>
> passexpcode=passwdexpired(pw->pw_name, &expiresmsg);
>
> if ( passexpcode > 0 ) {
>
> if (expiresmsg && *expiresmsg) {
> char *e;
> for (e = expiresmsg; *e; e++) {
> if (*e == '\n')
> *e = ' ';
> }
> *--e = '\0';
>
> if ( passexpcode == 1 ) {
> log("Password expired %s: %.100s", pw->pw_name,
> expiresmsg);
> }
> else {
> log("Password expired too long or system failure
> %s: %.100s", pw->pw_name, expir
> esmsg);
> return 0;
> }
> }
>
> }
>
> #endif /* WITH_AIXAUTHENTICATE */
>
>
> * expires Defines the expiration time for the user account.
> * Possible values: a valid date in the form MMDDHHMMYY or 0.
> * If 0 the account does not expire. If 0101000070 the
> account
> * is disabled. The range for YY is:
> * 00 - 38 years 2000 thru 2038
> * 39 - 99 years 1939 thru 1999
>
> * histexpire Defines the period of time in weeks that a user
> * will not be able to reuse a password.
> * Possible values: an integer value between 0 and 260.
> * 26 (approximately 6 months) is the recommended value.
> *
> * maxexpired Defines the maximum number of weeks after maxage that an
> expired
> * password can be changed by a user. The default is -1,
> which
> * is equivalent to unlimited. Range: -1 to 52. maxage must
> * be greater than 0 for maxexpired to be enforced. (root is
> * exempt from maxexpired.)
> *
> -------------------------------------------------------------------------------
> Base Operating System and Extensions Technical Reference, Volume 1
> -------------------------------------------------------------------------------
>
> passwdexpired Subroutine
>
> Purpose
>
> Checks the user's password to determine if it has expired.
>
> Syntax
>
> passwdexpired (UserName, Message)
>
> char *UserName;
>
> char **Message;
>
> Description
>
> The passwdexpired subroutine checks a user's password to determine if it
> has
> :
> The passwdexpired subroutine checks a user's password to determine if it
> has
> expired. The subroutine checks the registry variable in the
> /etc/security/user
> file to ascertain where the user is administered. If the registry variable
> is
> not defined, the passwdexpired subroutine checks the local, NIS, and DCE
> databases for the user definition and expiration time.
>
> The passwdexpired subroutine may pass back informational messages, such as
> how
> many days remain until password expiration.
>
> Parameters
>
> UserName Specifies the user's name whose password is to be checked.
>
> Message Points to a pointer that the passwdexpired subroutine allocates
> memory
> for and fills in. This string is suitable for printing and issues messages,
> suchas in how many days the password will expire.
>
> Return Values
>
> Upon successful completion, the passwdexpired subroutine returns a value of
> 0.
> If this subroutine fails, it returns one of the following values:
>
> 1 Indicates that the password is expired, and the user must change it.
> :
>
> 2 Indicates that the password is expired, and only a system administrator
> may
> change it.
>
> -1 Indicates that an internal error has occurred, such as a memory
> allocation
> (malloc) failure or database corruption.
>
> Error Codes
>
> The passwdexpired subroutine fails if one or more of the following values
> is
> true:
>
> ENOENT Indicates that the user could not be found.
>
> EPERM Indicates that the user did not have permission to check password
> expiration.
>
> ENOMEM Indicates that memory allocation (malloc) failed.
>
> EINVAL Indicates that the parameters are not valid.
>
> Implementation Specifics
>
> ENOENT Indicates that the user could not be found.
>
> EPERM Indicates that the user did not have permission to check password
> expiration.
>
> ENOMEM Indicates that memory allocation (malloc) failed.
>
> EINVAL Indicates that the parameters are not valid.
>
> Implementation Specifics
>
> This subroutine is part of Base Operating System (BOS) Runtime.
>
> Related Information
>
> The authenticate subroutine.
>
> The login command.
> -------------------------------------------------------------------------------
>
>
> Mark Pitt
> SP Administrator
> IBM, Campus Winterthur
> 058-333-1542
>
>
>
More information about the openssh-unix-dev
mailing list