Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- From: Darren Tucker <dtucker@xxxxxxxxxxxxxxxx>
- Date: 20 Apr 2006 12:13:48 GMT
On 2006-04-19, RV <news@xxxxxxxxxxxxxx> wrote:
In IBM's AIX there is an security option to restrict network login
(RLOGIN=FALSE security stanza in /etc/security/user). This work great on
restricting an account from using telnet, rsh, rlogin and SSH.
Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account,
BUT keep SSH enabled. I can't figure out how. In Aix v4.3.3, 5.1 and
5.2 we did this by writing a custom LAM module to restrict access to an
account to the console and bypass having to set RLOGIN=FALSE, it really
only worked on telnet, but that was enough... However in Aix v5.3 full
pam support was added, and our LAM module broke and we have been unable
to figure out how to get it working again.
I have tried setting rlogin=false and set the account to use PAM (and
compiled SSH with PAM support). Still can't get it to work, seems that
SSH queries AIX loginrestrictions BEFORE it tries PAM, so the account is
"locked" before it even tries PAM..
Yes this check is done early in the process. The hook is in auth.c (look
for sys_auth_allowed_user, the actual implementation is in port-aix.c)
Originally, PAM and AIX's native auth system were mutually exclusive
(because no AIX systems had PAM) and so the code is separate.
There are several such conflicts where options that were previously
mutually exclusive now aren't, and we have plans to merge these parts
into common sections that will allow better control of the interactions
(or not, as the case may be). Unfortunately this is mildly tricky and
time and resources have not permitted so far.
Anyway, you can rebuild sshd to remove the support for AIX's auth
system by editing config.h and removing or commenting out the "#define
WITH_AIXAUTHENTICATE" line and recompiling.
This will remove *all* support (including lockouts, password expiry and
so on) so you will need to make sure your PAM config takes care of those
(or at least the ones you care about :-).
Anyone know how to get SSH to ignore or override the AIX
Loginrestrictions() (RLOGIN=FALSE) on AIX v5.3? Or another way to
accomplish this?
BTW. Running AIX v5.3 and OpenSSH v4.2p1
If you want to keep the native support, I can't think of a way other
than modifying sshd, but it's trivial: find the loginrestrictions()
call in openbsd-compat/port-aix.c and change the S_RLOGIN flag to S_LOGIN.
This will check the account for local login rights (so your ssh users
will need the "login=TRUE" rather than "rlogin=TRUE" but the other checks
should remain the same.
Good luck with whatever you decide.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.
- Follow-Ups:
- References:
- Prev by Date: Re: GoDaddy's $10,000 donation
- Next by Date: Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- Previous by thread: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- Next by thread: Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- Index(es):
Relevant Pages
|
