Re: How to use SSH and password aging together on AIX 5.1?

From: Jan-Frode Myklebust (janfrode@parallab.uib.no)
Date: 06/06/02 

From: Jan-Frode Myklebust <janfrode@parallab.uib.no>
Date: 6 Jun 2002 07:34:32 GMT

On 05 Jun 2002 14:41:15 GMT, those who know me have no need of my name <not-a-real-address@usa.net> wrote:
> in comp.security.ssh i read:
>
>>I am installing an IBM AIX 5.1 multi-user server at the moment. In the light
>>of security we want to:
>> 1 restrict access to the system to a safe protocol such as SSH
>> 2 use AIX built-in facilities to force users to change their
>>passwords after they have expired or been set by root.
>
> sorry, but i passed right over what you wanted to do in trying to eliminate
> the error message.
>
> ssh is not the tool you want. why? because it presumes to know how to
> authenticate users, i.e., it *intends* to replace your login program
> entirely.

Rubish. sshd tries to use as much as it can to set up the same login environment
as other login programs. That it doesn't check for expired password can be seen
as a bug, as it does seem to check the expiry field on other systems (either via PAM
or manually).

I don't think it should be too hard to add this feature to ssh, as most of it
already seems t obe there. You just need the AIX specific parts.. On the other hand,
AIX 5.2 is supposed to come with PAM _and_ PAM libraries, so that might be a better
solution than hacking up special routines for AIX.

>
> i suggest you look into moving to an ssl environment, e.g., daemons of this
> kind can usually be configured to reject non-ssl sessions (which prevents
> clear-text transfer of client credentials), or to a kerberized environment
> (which aix natively supports). another alternative may be ipsec or ipv6,
> though i'm not sure how well it's supported by aix.
>

ssl-tunneling can be a solution, but it's hard to set up for the users and it's
very limited compared to ssh.

 
  -jf

Relevant Pages

  • Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions
    ... Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account, ... BUT keep SSH enabled. ... However in Aix v5.3 full ... pam support was added, and our LAM module broke and we have been unable ...
    (comp.security.ssh)
  • Re: AIX 5.2L "who" question
    ... You have solved my problem with the who command showing ... ssh logins. ... I have another ssh question if you could help. ... Subject: AIX 5.2L "who" question ...
    (AIX-L)
  • Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions
    ... Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account, BUT keep SSH enabled. ... However in Aix v5.3 full pam support was added, and our LAM module broke and we have been unable to figure out how to get it working again. ...
    (comp.security.ssh)
  • Re: AIX 5.2L "who" question
    ... SSH is corrupting the utmp file! ... where did you get the SSH server you are running? ... We have a 44P-270 running AIX 5.2L, when users connected via ssh they can't ... Monitoring ...
    (AIX-L)
  • Re: AIX 5.2L "who" question
    ... [aix-l] AIX 5.2L "who" question ... I have another ssh question if you could help. ... Every month all users olgin passwords expire, now when they login in under ... If you are not the intended recipient please notify us by telephone ...
    (AIX-L)