Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- From: RV <news@xxxxxxxxxxxxxx>
- Date: Thu, 20 Apr 2006 14:57:12 GMT
Darren Tucker wrote:
On 2006-04-19, RV <news@xxxxxxxxxxxxxx> wrote:I understand, alot within the AIX auth system has changed since AIX 4.3.3, so I expect it will take some time to get it sorted out and it works just fine I expect for most people. I'm just not most people :)In IBM's AIX there is an security option to restrict network login (RLOGIN=FALSE security stanza in /etc/security/user). This work great on restricting an account from using telnet, rsh, rlogin and SSH.
Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account, BUT keep SSH enabled. I can't figure out how. In Aix v4.3.3, 5.1 and 5.2 we did this by writing a custom LAM module to restrict access to an account to the console and bypass having to set RLOGIN=FALSE, it really only worked on telnet, but that was enough... However in Aix v5.3 full pam support was added, and our LAM module broke and we have been unable to figure out how to get it working again.
I have tried setting rlogin=false and set the account to use PAM (and compiled SSH with PAM support). Still can't get it to work, seems that SSH queries AIX loginrestrictions BEFORE it tries PAM, so the account is
"locked" before it even tries PAM..
Yes this check is done early in the process. The hook is in auth.c (look
for sys_auth_allowed_user, the actual implementation is in port-aix.c)
Originally, PAM and AIX's native auth system were mutually exclusive
(because no AIX systems had PAM) and so the code is separate.
There are several such conflicts where options that were previously
mutually exclusive now aren't, and we have plans to merge these parts
into common sections that will allow better control of the interactions
(or not, as the case may be). Unfortunately this is mildly tricky and
time and resources have not permitted so far.
ugh. hmm..I'll have to think about that one. Not too keen on losing that functionality, but then again it would force me to figure out how PAM (on aix) actually works. I'm assuming by your response that it doesn't do anything to verify the user other then make sure they exist? Where I work we are looking into running two SSHD daemons. One on the standard port for normal users with Password Auth, and one on a non-standard port for "group" users using Keypair auth only. We currently use SSHD with keypair auth only with no passwords for various automation and to disallow root password access via SSH.
Anyway, you can rebuild sshd to remove the support for AIX's auth
system by editing config.h and removing or commenting out the "#define
WITH_AIXAUTHENTICATE" line and recompiling.
This will remove *all* support (including lockouts, password expiry and
so on) so you will need to make sure your PAM config takes care of those
(or at least the ones you care about :-).
Setting this to off wouldn't be that much of a problem for the group SSH daemon as we generally don't set those accounts to expire, be locked or whatnot....still not keen on it however. Thanks for letting me know that I can just disable that def. I was wondering if it would do the trick.
I had found this somewhere before (likely from you on another mailing list), I tried making the change, but it didn't like it (in port-aix.c) when I tried to compile SSH. I must have fat fingered something. Is this functionally the same as removing the "#define WITH_AIXAUTHENTICATE"?
Anyone know how to get SSH to ignore or override the AIX Loginrestrictions() (RLOGIN=FALSE) on AIX v5.3? Or another way to accomplish this?
BTW. Running AIX v5.3 and OpenSSH v4.2p1
If you want to keep the native support, I can't think of a way other
than modifying sshd, but it's trivial: find the loginrestrictions()
call in openbsd-compat/port-aix.c and change the S_RLOGIN flag to S_LOGIN.
This will check the account for local login rights (so your ssh users
will need the "login=TRUE" rather than "rlogin=TRUE" but the other checks
should remain the same.
Good luck with whatever you decide.
Thanks Darren, I had been thinking of emailing you directly (as I've been to your nice page on SSH and AIX), but figured I would not bother you directly unless I couldn't get an answer elsewhere...Thanks :)
.
- Follow-Ups:
- References:
- Prev by Date: Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- Next by Date: Re: Any public port forwarding servers available ?
- Previous by thread: Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- Next by thread: Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- Index(es):
Relevant Pages
|
