Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Mar 2002 15:08:15 -0800 (PST)
From:      John-David Childs <freebsd@nterprise.net>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/35904: OpenSSH ports (both) appear to ignore limits in /etc/login.conf unless UseLogin is set 
Message-ID:  <200203142308.g2EN8F542306@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         35904
>Category:       ports
>Synopsis:       OpenSSH ports (both) appear to ignore limits in /etc/login.conf unless UseLogin is set
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 14 15:10:02 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     John-David Childs
>Release:        4.5-RELEASE
>Organization:
Enterprise Internet Solutions
>Environment:
FreeBSD taliacyn 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun Feb 10 17:56:42 MST 2002     jchilds@taliacyn.digitalglobe.com:/usr/obj/usr/src/sys/TALIACYN  i386
>Description:
The openssh 3.1p1_1 (portable) and openssh-3.1_3 ports do not examine /etc/login.conf for restrictions such as ttys.{allow,deny}, unless UseLogin is set on in /etc/ssh/sshd_config.  This directive has been exploited in the past, and is now turned off by default.


>How-To-Repeat:
Set up a class with a tty restriction.  Created user in that class, and verified with "pw usershow <username> -P".  Installed "non-portable" (aka native) OpenSSH port. Killed existing sshd and started OpenSSH "/usr/local/sbin/sshd -f /etc/ssh/sshd_config".  Attempted SSH into box, and logged in successfully.  Rinse. Lather. Repeat with OpenSSH portable.  Finally, tried with "native" SSHD (no changes to /etc/ssh/sshd_config) and it worked.
>Fix:
These lines from the native SSH session.c (/usr/src/crypto/openssh/session.c) seem to be the key!

#ifdef HAVE_LOGIN_CAP
        if (!auth_ttyok(lc, s->tty)) {
                (void)printf("Permission denied.\n");
                log(
               "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
                    pw->pw_name, get_remote_name_or_ip(utmp_len,
                        options.reverse_mapping_check), s->tty);
                exit(254);
        }
#endif /* HAVE_LOGIN_CAP */


>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203142308.g2EN8F542306>