Date: Thu, 14 Mar 2002 15:08:15 -0800 (PST) From: John-David Childs <freebsd@nterprise.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/35904: OpenSSH ports (both) appear to ignore limits in /etc/login.conf unless UseLogin is set Message-ID: <200203142308.g2EN8F542306@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 35904 >Category: ports >Synopsis: OpenSSH ports (both) appear to ignore limits in /etc/login.conf unless UseLogin is set >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 14 15:10:02 PST 2002 >Closed-Date: >Last-Modified: >Originator: John-David Childs >Release: 4.5-RELEASE >Organization: Enterprise Internet Solutions >Environment: FreeBSD taliacyn 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun Feb 10 17:56:42 MST 2002 jchilds@taliacyn.digitalglobe.com:/usr/obj/usr/src/sys/TALIACYN i386 >Description: The openssh 3.1p1_1 (portable) and openssh-3.1_3 ports do not examine /etc/login.conf for restrictions such as ttys.{allow,deny}, unless UseLogin is set on in /etc/ssh/sshd_config. This directive has been exploited in the past, and is now turned off by default. >How-To-Repeat: Set up a class with a tty restriction. Created user in that class, and verified with "pw usershow <username> -P". Installed "non-portable" (aka native) OpenSSH port. Killed existing sshd and started OpenSSH "/usr/local/sbin/sshd -f /etc/ssh/sshd_config". Attempted SSH into box, and logged in successfully. Rinse. Lather. Repeat with OpenSSH portable. Finally, tried with "native" SSHD (no changes to /etc/ssh/sshd_config) and it worked. >Fix: These lines from the native SSH session.c (/usr/src/crypto/openssh/session.c) seem to be the key! #ifdef HAVE_LOGIN_CAP if (!auth_ttyok(lc, s->tty)) { (void)printf("Permission denied.\n"); log( "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", pw->pw_name, get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), s->tty); exit(254); } #endif /* HAVE_LOGIN_CAP */ >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203142308.g2EN8F542306>