AIX remote root logins

Donnie Cranford mozilla at attbi.com
Sun Oct 13 13:42:38 EST 2002


Isnt this patch included in the current 3.5p1 cvs??
I looked at the src code in the snapshot I pulled and I could swear its 
the same exact code



Darren Tucker wrote:

>Mark Janssen wrote:
>  
>
>>On Sun, 2002-10-13 at 00:40, Donnie Cranford wrote:
>>    
>>
>>>I am in the process of introducing OpenSSH into our corporate environment.
>>>This environment includes Solaris / HP-UX / AIX and Linux
>>>
>>>We have had audit tell us we need to disable root logins through telnet...
>>>we can do this through the use of OpenSSH on all platforms except AIX
>>>apparently bug # 383 was supposed to take care of this and I have
>>>downloaded -current snapshot
>>>and tested but remote root logins through SSH still does not work.
>>>      
>>>
>
>Most platforms have special login controls for root (eg /etc/securetty
>or /etc/default/login). Sshd has its own (PermitRootLogin).
>
>AIX has generic login control for all accounts (through the function
>"loginrestrictions") which sshd checks (if WITH_AIXAUTHENTICATE is
>defined).
>
>The bug has a patch by Dr. Jörg Petersen which doesn't call
>loginrestrictions for root. This makes sense to me as you can still
>disable root logins with "PermitRootLogin no" which is consistent with
>most other platforms. Without this patch it's not possible to disable
>root logins via telnet but permit them via ssh, it's both or neither.
>With it, they're independant.
>
>I'm not sure if there's a philosophical objection to the the patch or
>it's just not been looked at.
>
>  
>
>>I running it at a multinational I work for, on AIX and HP, with
>>Allow-root logins on 'without-password' (keyfiles only). It works
>>perfectly... but you need to configure SSH without
>>USE_AIX_AUTHENTICATION. otherwise it won't work...
>>    
>>
>
>Be aware that removing WITH_AIXAUTHENTICATE from config.h also disables
>some of AIX's security features (eg lockout on bad logins and expired
>accounts) so ssh can be used for password-guessing attacks.
>
>  
>





More information about the openssh-unix-dev mailing list