Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)

On 2006-04-20, RV <news@xxxxxxxxxxxxxx> wrote:
Darren Tucker wrote:
Originally, PAM and AIX's native auth system were mutually exclusive
(because no AIX systems had PAM) and so the code is separate.
[...]
There are several such conflicts where options that were previously
mutually exclusive now aren't, and we have plans to merge these parts
into common sections that will allow better control of the interactions
(or not, as the case may be). Unfortunately this is mildly tricky and
time and resources have not permitted so far.

I understand, alot within the AIX auth system has changed since AIX
4.3.3, so I expect it will take some time to get it sorted out and it
works just fine I expect for most people. I'm just not most people :)

Actually, from an application's point of view the native auth system
hasn't changed much since AIX 4.3 to 5.3; it's grown a extra arguments
(loginfailed) and extra bugs (passwdexpired) but it's basically the same.
It's just that AIX has grown a somewhat parallel system (PAM).

Anyway, you can rebuild sshd to remove the support for AIX's auth
system by editing config.h and removing or commenting out the "#define
WITH_AIXAUTHENTICATE" line and recompiling.

This will remove *all* support (including lockouts, password expiry and
so on) so you will need to make sure your PAM config takes care of those
(or at least the ones you care about :-).
ugh. hmm..I'll have to think about that one. Not too keen on losing that
functionality, but then again it would force me to figure out how PAM
(on aix) actually works. I'm assuming by your response that it doesn't
do anything to verify the user other then make sure they exist?

It'll still do the things it would do on other platforms (shell exists
and is executable, DenyUsers and so forth) but without WITH_AIXAUTHENTICATE
all of the AIX specific stuff will be gone.

[...]
If you want to keep the native support, I can't think of a way other
than modifying sshd, but it's trivial: find the loginrestrictions()
call in openbsd-compat/port-aix.c and change the S_RLOGIN flag to S_LOGIN.

I had found this somewhere before (likely from you on another mailing
list), I tried making the change, but it didn't like it (in port-aix.c)
when I tried to compile SSH. I must have fat fingered something. Is this
functionally the same as removing the "#define WITH_AIXAUTHENTICATE"?

No. Changing that flag will leave the AIX specific checks in place, the
only difference is that sshd will check the "login" attribute instead of
"rlogin".

Thanks Darren, I had been thinking of emailing you directly (as I've
been to your nice page on SSH and AIX), but figured I would not bother
you directly unless I couldn't get an answer elsewhere...Thanks :)

I prefer if people don't email me directly for this kind of thing;
most of the time I'll just redirect the poster to a public forum anyway.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.

Relevant Pages

  • Re: long passwords on localhost
    ... encrypted password field...I'll have to try the test again and see what ... > length of a password is 8 characters." ... Haven't used PAM with AIX though, ...
    (comp.unix.aix)
  • Re: Centrify single sign on
    ... understanding you and other respondents gave me I realize pam is ... I have an Informix server on an AIX box. ... This I will call db1. ...
    (comp.databases.informix)
  • Re: bug in passwd authentication in AIX
    ... Not on AIX. ... At least according to my recent chat with IBM tech support. ... In short - even with PAM and even on 5.3 you can only have 8 char ... IBM, I got a feature request - long passwords, please! ...
    (comp.unix.aix)
  • RE: AIX 5.1, OpenSSH 3.8.1p1 and PAM
    ... I am able to compile on AIX 5.1 with pam support. ... I compiled my own OpenSSL and Zlib too. ... Make sure you are using the gcc and make from IBM Linux Tool Box for AIX ... Now I have problem to compile pam_radius for AIX 5.1. ...
    (SSH)
  • Re: aix 5.1 pam support
    ... In AIX 5.1 none of the system tools are PAM enabled, so login, ... passwd, su, and others will not even look at your pam.conf file. ...
    (comp.unix.aix)