Re: ssh bypassing OS procedures?

From: Chuck (hal___jordan@hotmail.com)
Date: 09/13/02 

From: hal___jordan@hotmail.com (Chuck)
Date: 13 Sep 2002 11:02:06 -0700

"Nico Kadel-Garcia" <nkadel@bellatlantic.net> wrote in message news:<B0eg9.8554$HT2.3795@nwrddc04.gnilink.net>...
> "Chuck" <hal___jordan@hotmail.com> wrote in message
> news:b1713487.0209120552.160edd4c@posting.google.com...
> > Platform: Sparc/Solaris 2.6
> > Version OpenSSH: 3.4p1
> > I have a ftp server setup so that if the users don't change their
> > passwords every thirty days, the OS will lock the user account. This
> > is done by normal means through /etc/default/passwd. I have a user who
> > believes that it doesn't matter whether or not his user id is locked,
> > he can still ssh into the system via private key authentication. He
> > maintains that ssh doesn't care what the OS says, it will still grant
> > access. Any application that totally bypasses the OS sounds awfully
> > suspect to me. I don't believe SSH would do this. And I have been
> > unable to make SSH perform in this way. My question: Can you really
> > configure ssh so that it bypasses the OS's procedure and just
> > authenticates through encrypted keys?
>
> Authentication through the keys avoids the password authentication, true.
> And locking an account fully should be done by both disabling the password
> and disabling the user's shell. Disabling his shell should help to spike
> this trick.
>
> Why are you giving user accounts on your ftp server? Secure FTP servers
> should *NEVER* have user accounts with the same passwords as the ftp
> accounts. Look at proftpd for examples of how to correctly configure ftp
> accounts to have distinct passwords from the shell accounts.
>
> > By the way, the user uses rsync to transfer files and seems to have
> > found a way to transfer files despite the fact that his user id is
> > locked. More power to him. I'm impressed by his ability to adapt, but
> > ... how did he do that??
>
> "rsync -e ssh"
>
> Read the man page on rsync for more details.

Thanks very much for all the info.

Actually most of the users have the shell, /etc/ftponly, but this one
is "special". As for the reasons behind the ftp server's
configuration... (1) it was configured that way when my group took
responsibility for it (2) Even if I had set it up myself, I'm not sure
I would've done it differently because I didn't know about proftp or
security concepts on a ftp server. But now I do thanks to your post!
:)

Thanks again.

Relevant Pages

  • Re: ssh bypassing OS procedures?
    ... > passwords every thirty days, the OS will lock the user account. ... > he can still ssh into the system via private key authentication. ... Why are you giving user accounts on your ftp server? ...
    (comp.security.ssh)
  • Re: NIM clients and multibos
    ... and how many accounts does it take to make the problem visible? ... large perf hit. ... None APAR points to wtmp. ...
    (comp.unix.aix)
  • Re: Suse 10.2 - How secure from internet?
    ... I would steer clear of authenticated FTP because the passwords are plain ... Running an anonymous FTP server is ... I'd run SSH for everything else. ... for the attacker, that means as few public services as possible ...
    (alt.os.linux)
  • Re: How to configure Zone Alarm to allow FTP?
    ... Once you decide to open any service to the internet and allow unsolicited ... alternative which uses encryption to exchange user accounts and passwords. ... FTP server so extreme care must be taken in light of this issue. ... certain dynamic addresses the best you can do is filter for the specific ...
    (comp.security.firewalls)
  • FTP server on WinXPP Client PC ... logon no longer works
    ... did could not logon to the FTP server until after a 'password reset'. ... now it only seems to accept Local UserID: Passwords ... Remote access to log on to the PC. ...
    (microsoft.public.windows.server.sbs)