AIX issues

Ben Lindstrom mouring at etoh.eviladmin.org
Sat Jul 27 05:53:29 EST 2002 

On 26 Jul 2002, Mark Grennan wrote:

> Hello everyone,
>
> I have been given the task of working out a number of issues with
> OpenSSH for my company (Hertz).
>
> I have been following the mailing list for several days now and I'm
> beginning to compile a list of who is working on what.  To make my task
> faster, it would nice if the people working on the following issues
> would drop me a email before I start to rewrite their code and get it
> wrong. :-)
>
> I am dealing with AIX 4.3.3, AIX 5.x, and OpenSSH 2.5.1p1 and 2.9.9p2.
> I'm sure some of these issues have been fixed.
>
> The issues are:
>
>     1. Allows login even though the password has expired either from age
>     or after being reset by a security analyst.
>

This is an outstanding issue.  I doubt this will be fixed by 3.5 release.
Mainly because one has to do two different paths.  First one would be for
v1 protocol (password change over TTY) and the other is v2 (password
change via SSH_MSG_CHANGE_PASSWORD_REQ).  The latter does not  have a
serverside framework just client side.

>     2. Doesn't update AIX's "failed login count", consequently the ID is
>     not locked after 5 invalid login attempts.
>
>     3. Doesn't record the failed login in AIX's failedlogin log.
>
>     4. Doesn't post logged in users to the wtmp file causing it to
>     appear as if no one is logged in.
>

These should be fixed.  I did not get around to setting up my 5.x/4.3.3
box that was donated to me for testing.  (Tonight, I hope!)

>     5. Corrupts the file that stores the last login date for users
>     making it impossible to lock or remove accounts for inactivity.
>
Not heard of this.

>     6. Doesn't honor the /etc/ftpusers to restrict sftp access. Any
>     users can use ftp through SSH.
>
I believe we stated it was not correct to depends on /etc/ftpusers.  Check
the mailinglist archives.

>     7. Syslog entries for SSH login don't differentiate between SSH,
>     SFTP, or other tunneled logins.
>

Don't think it should.  sftp is just like doing 'ssh remote
/path/to/sftp-server'.   Never looked at how tunneling is logged.

>     8. OpenSSH doesn't show user logouts in syslog like F-Secure does.
>
> My first step is to move both envirements to 3.4p1 and retest.
>

Test with the current snapshots.  There was a whole slew of fixes Daz,
myself, and others have done since 3.4 release.  There are no new features
in --current.  It is all bug fixes so it should be just as safe as 3.4.

More information about the openssh-unix-dev mailing list