AIX remote root logins

Sun Oct 13 13:30:21 EST 2002

Mark Janssen wrote:
> On Sun, 2002-10-13 at 00:40, Donnie Cranford wrote:
> > I am in the process of introducing OpenSSH into our corporate environment.
> > This environment includes Solaris / HP-UX / AIX and Linux
> >
> > We have had audit tell us we need to disable root logins through telnet...
> > we can do this through the use of OpenSSH on all platforms except AIX
> > apparently bug # 383 was supposed to take care of this and I have
> > downloaded -current snapshot
> > and tested but remote root logins through SSH still does not work.

Most platforms have special login controls for root (eg /etc/securetty
or /etc/default/login). Sshd has its own (PermitRootLogin).

AIX has generic login control for all accounts (through the function
"loginrestrictions") which sshd checks (if WITH_AIXAUTHENTICATE is
defined).

The bug has a patch by Dr. Jörg Petersen which doesn't call
loginrestrictions for root. This makes sense to me as you can still
disable root logins with "PermitRootLogin no" which is consistent with
most other platforms. Without this patch it's not possible to disable
root logins via telnet but permit them via ssh, it's both or neither.
With it, they're independant.

I'm not sure if there's a philosophical objection to the the patch or
it's just not been looked at.

> I running it at a multinational I work for, on AIX and HP, with
> Allow-root logins on 'without-password' (keyfiles only). It works
> perfectly... but you need to configure SSH without
> USE_AIX_AUTHENTICATION. otherwise it won't work...

Be aware that removing WITH_AIXAUTHENTICATE from config.h also disables
some of AIX's security features (eg lockout on bad logins and expired
accounts) so ssh can be used for password-guessing attacks.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.