| Summary: | PublicKeyAuthentication failure when rlogin set to false | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Jim Davidson <jim.a.davidson> |
| Component: | sshd | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | -current | ||
| Hardware: | All | ||
| OS: | AIX | ||
|
Description
Jim Davidson
2002-08-09 19:43:31 AEST
what does "rlogin set to false" mean? On an AIX system,if chuser rlogin=false <account> is set then it is no longer possible using PublicKeyAuthentication to issue ssh <command> or scp using that account. We need to be able to do this. My suggestion is the following (since I'm not 100% up to speed on AIX). do sshd -d -d -d with rlogin=false then return it with rlogin=true. Diff the two and hopefully that will narrow down the differences. - Ben Here's the reason from the log:
"Login restricted for root: 3004-306 Remote logins are not allowed for this
account."
What version are you upgrading from? All versions I checked back to 2.1.1p4
contained the following test in auth.c:
if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
[snip]
log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
}
To me it seems to be working like it should: if you disable remote logins you
can't log in remotely.
Ah, I think I know why you're seeing it now. Were your previous binaries compiled on AIX 4.2 perchance? The loginrestrictions() test is wrapped inside "#ifdef WITH_AIXAUTHENTICATE". Configure defines that if it can find the function "authenticate". On 4.2, authenticate it in libs.a. On 4.3, it's in libc.a. Configure didn't check in libs.a. The upshot is if you compile 3.4p1 or below on AIX 4.2, WITH_AIXAUTHENTICATE doesn't get defined and the loginrestrictions() test doesn't get compiled in. In -cvs, configure has been fixed to look in libs.a if necessary, so behaviour will be consistent between AIX versions. The quick way to get the behaviour you want is to set "#define WITH_AIXAUTHENTICATE 0" in config.h after running configure, then recompile. This is probably not a long-term solution as it also disables other things (eg lockout on bad logins and logging of succcesful logins). You may need to rethink your strategy. We do not use password authentication for this account. On HP,OSF/1 and Solaris machines,if root account is set to only login on the console,then we authenticate in the normal way (using PublicKeyAuthentication) and can then issue ssh <command> or scp using root account on that machine. It is only with AIX that we see this being rejected. Is there a particular reason why AIX is unique in this behaviour ? Thanks. This ist my Workaround:
--- auth.c.orig Wed Oct 3 19:55:27 2001
+++ auth.c Mon Nov 12 10:43:49 2001
@@ -158,7 +158,7 @@
}
#ifdef WITH_AIXAUTHENTICATE
- if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
+ if ((pw->pw_uid != 0) && (loginrestrictions(pw->pw_name, S_RLOGIN, NULL,
&loginmsg) != 0)) {
if (loginmsg && *loginmsg) {
/* Remove embedded newlines (if any) */
char *p;
Not accepted by OpenSSH-developers, but what most AIX-Admins seem to need:
Close out root by all AIX-means, but let him in by ssh-only...
The more I think about it, the more I like Jörg's uid != 0 patch. Other platforms implement their own login controls for root (eg /etc/securetty or /etc/default/login) and sshd ignores them in favour of its own mechanism (PermitRootLogin). I'm in favour of the patch. If required, you can still disable root logins via ssh by setting "PermitRootLogin no". What's the argument against it? commited Mass change of RESOLVED bugs to CLOSED |