Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Jan 2000 17:36:29 +0100
From:      Udo Schweigert <ust@cert.siemens.de>
To:        freebsd-stable@freebsd.org, freebsd-security@freebsd.org
Subject:   OpenSSH, login_getpath and /etc/login.conf
Message-ID:  <20000123173629.A858@alaska.cert.siemens.de>
next in thread | raw e-mail | index | archive | help 
Hi all,

using OpenSSH I notcied that I get the following PATH when logging in
via ssh:

~/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

This got at least one port (print/a2ps-a4 when installing) to fail due to this
PATH-variable.

I tried to examine this a little and noticed two facts:

	1) With the default setting of "UseLogin no" in 
	   /usr/local/etc/sshd_config, sshd calls login_getpath() which does
	   not expand the ~-chars.

	2) With a setting of "UseLogin yes" this behavior disappears since
	   login() calls setusercontext() which expands the ~-chars.

The question to me is: is login_getpath() bugy or should OpenSSH use login()
by default (I don't know a reason why not). If so, we should use the following 
replacement for patches/patch-ao in the port:

--- sshd_config.orig	Sun Jan 23 17:00:35 2000
+++ sshd_config	Sun Jan 23 17:01:53 2000
@@ -3,12 +3,13 @@
 Port 22
 #ListenAddress 0.0.0.0
 #ListenAddress ::
-HostKey /etc/ssh_host_key
+HostKey __PREFIX__/etc/ssh_host_key
 ServerKeyBits 768
-LoginGraceTime 600
+LoginGraceTime 60
 KeyRegenerationInterval 3600
-PermitRootLogin yes
-#
+PermitRootLogin no
+# Rate-limit sshd connections to 5 connections per 10 seconds
+ConnectionsPerPeriod 5/10
 # Don't read ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
@@ -47,4 +48,4 @@
 #KerberosTgtPassing yes
 
 #CheckMail yes
-#UseLogin no
+UseLogin yes

Regards.
-------------------------------------------------------------------------------
Udo Schweigert              || Voice      : +49 89 636 42170
Siemens AG, Siemens CERT    || Fax        : +49 89 636 41166
ZT IK 3                     || email      : Udo.Schweigert@mchp.siemens.de
D-81730 Muenchen / Germany  ||            : ust@cert.siemens.de
PGP fingerprint             || 2A 53 F6 A6 30 59 64 02  6B C4 E0 73 B2 C9 6C E7
-------------------------------------------------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000123173629.A858>