locked account accessable via pubkey auth

Dan Kaminsky dan at doxpara.com
Thu Jan 31 00:59:29 EST 2002


RE: locked account accessable via pubkey authHmmm, consistency with r* series vs. consistency with what is obviously the platform designer's intent.  Probably the only time I've ever seen these two in direct conflict.

I'm leaning towards agreeing with you on this...it's a really special case that someone would just want pubkey.  Is there anyone who thinks this isn't an obscure but genuine platform-specific security issue, solved by adding a check before pubkey to see if the password is locked on platforms with locking implemented?

--Dan

  ----- Original Message ----- 
  From: Lacoss-Arnold, Jason 
  To: 'Dan Kaminsky' ; 'Damien Miller' ; Frank Cusack 
  Cc: openssh-unix-dev at mindrot.org ; Dost, Alexander 
  Sent: Wednesday, January 30, 2002 5:46 AM
  Subject: RE: locked account accessable via pubkey auth


  No.  ftp doesn't allow it.  The console doesn't allow it.  The r* commands would allow it, but we don't allow them for obvious reasons.  But we feel that the tool we're using to rid ourselves of security holes shouldn't replicate security holes.

  Thanks, 
  --Jason Lacoss-Arnold, Systems Technical Specialist 
  Technical Services - Unix Arch. 
  314-955-8501 

    -----Original Message-----
    From: Dan Kaminsky [mailto:dan at doxpara.com]
    Sent: Wednesday, January 30, 2002 7:43
    To: Lacoss-Arnold, Jason; 'Damien Miller'; Frank Cusack
    Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
    Subject: Re: locked account accessable via pubkey auth


    Without SSH, is there *any* other way to access a password-locked account than to su in from root?

    If not, I don't see it as being valid to allow a pubkey "backdoor" by default.  It comes down to whether the platforms are equating "no password = no access".  Unless something else has access with no password, we shouldn't be allowing such.

    Now, do we generally directly manage passwd/shadow files on Solaris, or do we usually go through PAM?  Can PAM report an LK password state, so we could check for it before allowing pubkey?

    --dan



      ----- Original Message ----- 
      From: Lacoss-Arnold, Jason 
      To: 'Dan Kaminsky' ; 'Damien Miller' ; Frank Cusack 
      Cc: openssh-unix-dev at mindrot.org ; Dost, Alexander 
      Sent: Wednesday, January 30, 2002 5:26 AM
      Subject: RE: locked account accessable via pubkey auth


      As an interesting side note, HP-UX used to also have this problem, but I just tested on an 11.0 trusted HP-UX box and disabling my account in SAM did actually disable it to ssh.  Unfortunately, we don't have any untrusted systems, so I can't tell if it's a ramification of the HPs whole tcb shananigans (their version of shadow files) or if all of HP is similarly fixed.

      Also, I'm pretty sure that this behavior in Solaris way predated version 8.

      Thanks, 
      --Jason Lacoss-Arnold, Systems Technical Specialist 
      Technical Services - Unix Arch. 
      314-955-8501 

        -----Original Message-----
        From: Dan Kaminsky [mailto:dan at doxpara.com]
        Sent: Wednesday, January 30, 2002 7:17
        To: Lacoss-Arnold, Jason; 'Damien Miller'; Frank Cusack
        Cc: openssh-unix-dev at mindrot.org; Dost, Alexander
        Subject: Re: locked account accessable via pubkey auth


        Since normally it's impossible to access the account of a password-disabled account, should default behavior on Solaris be to assume password-disabled means access-disabled?

        It seems to me that the rest of the Solaris tools assume "no password = no access".  Perhaps we should as well, and provide a separate configuration option to override to the useful but non-obvious pubkey-only mode.

        Thoughts?

        --Dan
          ----- Original Message ----- 
          From: Lacoss-Arnold, Jason 
          To: 'Damien Miller' ; Frank Cusack 
          Cc: openssh-unix-dev at mindrot.org ; Dost, Alexander 
          Sent: Wednesday, January 30, 2002 4:59 AM
          Subject: RE: locked account accessable via pubkey auth


          No, it's at best a really annoying "feature" but it feels more like a bug.  Basically, it makes it a royal pain in the arse to disable an account when a user leaves since all of the Solaris tools assume that passwd=*LK* means that the account is disabled.  Hence, if you actually want to disable the account you have to first use Sun's tool and additionally either change the shell to /bin/false or similar, put the user in a group that's listed in sshd_config's DenyGroups, go wipe out user keys and configs, or some other kludge.  Kludging sucks.

          Thanks, 
          --Jason Lacoss-Arnold, Systems Technical Specialist 
          Technical Services - Unix Arch. 
          314-955-8501 



          -----Original Message----- 
          From: Damien Miller [mailto:djm at mindrot.org] 
          Sent: Tuesday, January 29, 2002 22:40 
          To: Frank Cusack 
          Cc: openssh-unix-dev at mindrot.org; Dost, Alexander 
          Subject: Re: locked account accessable via pubkey auth 



          On Tue, 29 Jan 2002, Frank Cusack wrote: 

          > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote: 
          > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote: 
          > > > maybe this is a silly question ;-) But why is it possible to login on a 
          > > > machine with a locked account (passwd -l ) via pubkey-authentication 
          > > > (authorized_keys) ? 
          > > > I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not 
          > > > happen. 
          > > 
          > > Check the list archives and you'll find others with the same problem. 
          > > Noone has turned up a solution with Solaris 8/PAM yet. 
          > 
          > huh..  This is definitely a bug; probably in the Solaris PAM libs.  I can 
          > look into this, unfortunately not within a day or so. 

          I don't think it is a bug even. Having accounts with locked passwords, but 
          still accessible via pubkey auth is a very useful thing. 

          -d 



          _______________________________________________ 
          openssh-unix-dev at mindrot.org mailing list 
          http://www.mindrot.org/mailman/listinfo/openssh-unix-dev 



          ***************************************************************************************
          WARNING: All e-mail sent to and from this address will be received or
          otherwise recorded by the A.G. Edwards corporate e-mail system and is
          subject to archival, monitoring or review by, and/or disclosure to,
          someone other than the recipient.
          ***************************************************************************************



      ***************************************************************************************
      WARNING: All e-mail sent to and from this address will be received or
      otherwise recorded by the A.G. Edwards corporate e-mail system and is
      subject to archival, monitoring or review by, and/or disclosure to,
      someone other than the recipient.
      ***************************************************************************************



  ***************************************************************************************
  WARNING: All e-mail sent to and from this address will be received or
  otherwise recorded by the A.G. Edwards corporate e-mail system and is
  subject to archival, monitoring or review by, and/or disclosure to,
  someone other than the recipient.
  ***************************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020130/f0d2bc41/attachment.html 


More information about the openssh-unix-dev mailing list