Functionality bug (possibly) in openssh on AIX 4.3 (fwd)

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Fri Apr 27 09:00:56 EST 2001 

Has anyone else running AIX tried this patch?  I'm looking for feedback
if it should be applied before we release 2.9p1.

- Ben

---------- Forwarded message ----------
Date: Tue, 24 Apr 2001 17:22:02 -0800 (AKDT)
From: mikem at alaska.net
To: openssh-unix-dev at mindrot.org
Subject: Functionality bug (possibly) in openssh on AIX 4.3


Hi Folks,

While compiling and testing openssh-2.5.2p2 on various AIX platforms, I've
found that ssh will not accept root (based on ssh key credentials) logins
at all if the AIX security features have been set to disallow remote root
logins.  If I disable the AIX security feature (enable remote root
logins), I can then do bad things like rsh, telnet, etc. into the box as
root.

[...]

*** auth.c      Tue Apr 24 16:01:02 2001
--- ../openssh-2.5.2p2/auth.c   Mon Mar 19 13:15:57 2001
***************
*** 142,164 ****
        }

  #ifdef WITH_AIXAUTHENTICATE
!         if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0)) {
!                 if (loginmsg && *loginmsg) {
!                         /* Remove embedded newlines (if any) */
!                         char *p;
!                         for (p = loginmsg; *p; p++) {
!                                 if (*p == '\n')
!                                         *p = ' ';
!                         }
!                         /* Remove trailing newline */
!                         *--p = '\0';
!                         log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
!                 }
!                 return 0;
!         }
  #endif /* WITH_AIXAUTHENTICATE */
-
-

        /* We found no reason not to let this user try to log on... */
        return 1;
--- 142,162 ----
        }

  #ifdef WITH_AIXAUTHENTICATE
!       if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
!               if (loginmsg && *loginmsg) {
!                       /* Remove embedded newlines (if any) */
!                       char *p;
!                       for (p = loginmsg; *p; p++) {
!                               if (*p == '\n')
!                                       *p = ' ';
!                       }
!                       /* Remove trailing newline */
!                       *--p = '\0';
!                       log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
!               }
!               return 0;
!       }
  #endif /* WITH_AIXAUTHENTICATE */

        /* We found no reason not to let this user try to log on... */
        return 1;

More information about the openssh-unix-dev mailing list