| Summary: | ssh does not properly utilize OS specified authentication methods on AIX | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Ken Robinson <phoenix> |
| Component: | Miscellaneous | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | -current | ||
| Hardware: | PPC | ||
| OS: | AIX | ||
| Bug Depends on: | |||
| Bug Blocks: | 914 | ||
| Attachments: | |||
|
Description
Ken Robinson
2003-09-24 15:02:21 AEST
Created attachment 464 [details]
Move AIX password auth to port-aix.c and use authenticate's reenter
Please try this patch. I've had this in a local tree for a month or so but up
until now I haven't heard of anyone who actually used that functionality (and
therefore would be able to test it!) Regular SYSTEM password auth still works
for me (AIX 5.2 tested).
What are you using non-SYSTEM auth for? It's not an eNetwork firewall is it?
The above patch does not address the issue. The system still accepts any keystroke(s) as an acceptable password for IDs with auth1 set to something other than SYSTEM regardless of what it should be. Created attachment 465 [details]
Add call to setauthdb() in auth.c
The only other thing I can guess is it needs a call to setauthdb before
authenticate, please try the attached patch (apply to a vanilla 3.7.1p2 tree).
I applied the second patch to a vanilla p2 tree, and still had the same issue. For a non-SYSTEM auth1 userID, SSH allowed any and no key sequence to be accepted. The configuration options chosen were that on Darrin Tucker's AIX SSH page. This is specific to the account configuration. Without going into too much detail, the problem is this: The accounts were configured with the following AIX authentication settings: SYSTEM=none auth1=somemodule auth2=none The problem is sshd uses AIX's authenticate() function, which knows only SYSTEM, not auth1 or auth2 (AFAIK those are the domain of ckuserID() which is documented as obsolete, and would be very difficult to support sanely in sshd anyway). I think the best sshd can do in this case is to detect an unsupportable authentication configuration (currently my best guess is SYSTEM=NONE && auth1 != NONE, feedback wanted!) and deny the login. Created attachment 534 [details]
Check AIX accounts for SYSTEM=NONE
First attempt at testing accounts for SYSTEM=NONE and auth1!=NONE.
I think it's too late for this patch to go for the next release. Since it has had very limited testing, it has potential for mayhem by denying access to accounts, simply because they have an unusual but otherwise valid config. It should probably go in early in the next release cycle. Created attachment 668 [details]
Check for SYSTEM==NONE and auth1 != NONE or SYSTEM.
Update to current, move check to after authenticate, make
aix_valid_authentications static.
I have committed patch #668, and it will be in tomorrow's snapshot. Because this patch will (should!) affect only a minority of AIX users I'm keeping the bug open for now. Patch #668 was in the 3.9p1 release, closing. With the release of OpenSSH 4.0, these bugs are now closed. For details, see: http://www.openssh.com/txt/release-4.0 |