How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE& loginrestrictions question) - SSH

This is a discussion on How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE& loginrestrictions question) - SSH ; In IBM's AIX there is an security option to restrict network login (RLOGIN=FALSE security stanza in /etc/security/user). This work great on restricting an account from using telnet, rsh, rlogin and SSH. Unfortunately I WANT to disable telnet, rsh, rlogin etc ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE& loginrestrictions question)

  1. How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE& loginrestrictions question)

    In IBM's AIX there is an security option to restrict network login
    (RLOGIN=FALSE security stanza in /etc/security/user). This work great on
    restricting an account from using telnet, rsh, rlogin and SSH.

    Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account,
    BUT keep SSH enabled. I can't figure out how. In Aix v4.3.3, 5.1 and
    5.2 we did this by writing a custom LAM module to restrict access to an
    account to the console and bypass having to set RLOGIN=FALSE, it really
    only worked on telnet, but that was enough... However in Aix v5.3 full
    pam support was added, and our LAM module broke and we have been unable
    to figure out how to get it working again.

    I have tried setting rlogin=false and set the account to use PAM (and
    compiled SSH with PAM support). Still can't get it to work, seems that
    SSH queries AIX loginrestrictions BEFORE it tries PAM, so the account is
    "locked" before it even tries PAM..

    Anyone know how to get SSH to ignore or override the AIX
    Loginrestrictions() (RLOGIN=FALSE) on AIX v5.3? Or another way to
    accomplish this?

    Thanks

    RV

    BTW. Running AIX v5.3 and OpenSSH v4.2p1

  2. Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)

    On 2006-04-19, RV wrote:
    > In IBM's AIX there is an security option to restrict network login
    > (RLOGIN=FALSE security stanza in /etc/security/user). This work great on
    > restricting an account from using telnet, rsh, rlogin and SSH.
    >
    > Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account,
    > BUT keep SSH enabled. I can't figure out how. In Aix v4.3.3, 5.1 and
    > 5.2 we did this by writing a custom LAM module to restrict access to an
    > account to the console and bypass having to set RLOGIN=FALSE, it really
    > only worked on telnet, but that was enough... However in Aix v5.3 full
    > pam support was added, and our LAM module broke and we have been unable
    > to figure out how to get it working again.
    >
    > I have tried setting rlogin=false and set the account to use PAM (and
    > compiled SSH with PAM support). Still can't get it to work, seems that
    > SSH queries AIX loginrestrictions BEFORE it tries PAM, so the account is
    > "locked" before it even tries PAM..


    Yes this check is done early in the process. The hook is in auth.c (look
    for sys_auth_allowed_user, the actual implementation is in port-aix.c)

    Originally, PAM and AIX's native auth system were mutually exclusive
    (because no AIX systems had PAM) and so the code is separate.

    There are several such conflicts where options that were previously
    mutually exclusive now aren't, and we have plans to merge these parts
    into common sections that will allow better control of the interactions
    (or not, as the case may be). Unfortunately this is mildly tricky and
    time and resources have not permitted so far.

    Anyway, you can rebuild sshd to remove the support for AIX's auth
    system by editing config.h and removing or commenting out the "#define
    WITH_AIXAUTHENTICATE" line and recompiling.

    This will remove *all* support (including lockouts, password expiry and
    so on) so you will need to make sure your PAM config takes care of those
    (or at least the ones you care about :-).

    > Anyone know how to get SSH to ignore or override the AIX
    > Loginrestrictions() (RLOGIN=FALSE) on AIX v5.3? Or another way to
    > accomplish this?
    > BTW. Running AIX v5.3 and OpenSSH v4.2p1


    If you want to keep the native support, I can't think of a way other
    than modifying sshd, but it's trivial: find the loginrestrictions()
    call in openbsd-compat/port-aix.c and change the S_RLOGIN flag to S_LOGIN.

    This will check the account for local login rights (so your ssh users
    will need the "login=TRUE" rather than "rlogin=TRUE" but the other checks
    should remain the same.

    Good luck with whatever you decide.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE& loginrestrictions question)

    Darren Tucker wrote:
    > On 2006-04-19, RV wrote:
    >> In IBM's AIX there is an security option to restrict network login
    >> (RLOGIN=FALSE security stanza in /etc/security/user). This work great on
    >> restricting an account from using telnet, rsh, rlogin and SSH.
    >>
    >> Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account,
    >> BUT keep SSH enabled. I can't figure out how. In Aix v4.3.3, 5.1 and
    >> 5.2 we did this by writing a custom LAM module to restrict access to an
    >> account to the console and bypass having to set RLOGIN=FALSE, it really
    >> only worked on telnet, but that was enough... However in Aix v5.3 full
    >> pam support was added, and our LAM module broke and we have been unable
    >> to figure out how to get it working again.
    >>
    >> I have tried setting rlogin=false and set the account to use PAM (and
    >> compiled SSH with PAM support). Still can't get it to work, seems that
    >> SSH queries AIX loginrestrictions BEFORE it tries PAM, so the account is
    >> "locked" before it even tries PAM..

    >
    > Yes this check is done early in the process. The hook is in auth.c (look
    > for sys_auth_allowed_user, the actual implementation is in port-aix.c)
    >
    > Originally, PAM and AIX's native auth system were mutually exclusive
    > (because no AIX systems had PAM) and so the code is separate.
    >
    > There are several such conflicts where options that were previously
    > mutually exclusive now aren't, and we have plans to merge these parts
    > into common sections that will allow better control of the interactions
    > (or not, as the case may be). Unfortunately this is mildly tricky and
    > time and resources have not permitted so far.

    I understand, alot within the AIX auth system has changed since AIX
    4.3.3, so I expect it will take some time to get it sorted out and it
    works just fine I expect for most people. I'm just not most people

    >
    > Anyway, you can rebuild sshd to remove the support for AIX's auth
    > system by editing config.h and removing or commenting out the "#define
    > WITH_AIXAUTHENTICATE" line and recompiling.
    >
    > This will remove *all* support (including lockouts, password expiry and
    > so on) so you will need to make sure your PAM config takes care of those
    > (or at least the ones you care about :-).

    ugh. hmm..I'll have to think about that one. Not too keen on losing that
    functionality, but then again it would force me to figure out how PAM
    (on aix) actually works. I'm assuming by your response that it doesn't
    do anything to verify the user other then make sure they exist? Where I
    work we are looking into running two SSHD daemons. One on the standard
    port for normal users with Password Auth, and one on a non-standard port
    for "group" users using Keypair auth only. We currently use SSHD with
    keypair auth only with no passwords for various automation and to
    disallow root password access via SSH.

    Setting this to off wouldn't be that much of a problem for the group SSH
    daemon as we generally don't set those accounts to expire, be locked or
    whatnot....still not keen on it however. Thanks for letting me know
    that I can just disable that def. I was wondering if it would do the trick.

    >
    >> Anyone know how to get SSH to ignore or override the AIX
    >> Loginrestrictions() (RLOGIN=FALSE) on AIX v5.3? Or another way to
    >> accomplish this?
    >> BTW. Running AIX v5.3 and OpenSSH v4.2p1

    >
    > If you want to keep the native support, I can't think of a way other
    > than modifying sshd, but it's trivial: find the loginrestrictions()
    > call in openbsd-compat/port-aix.c and change the S_RLOGIN flag to S_LOGIN.
    >

    I had found this somewhere before (likely from you on another mailing
    list), I tried making the change, but it didn't like it (in port-aix.c)
    when I tried to compile SSH. I must have fat fingered something. Is this
    functionally the same as removing the "#define WITH_AIXAUTHENTICATE"?

    > This will check the account for local login rights (so your ssh users
    > will need the "login=TRUE" rather than "rlogin=TRUE" but the other checks
    > should remain the same.
    >
    > Good luck with whatever you decide.
    >


    Thanks Darren, I had been thinking of emailing you directly (as I've
    been to your nice page on SSH and AIX), but figured I would not bother
    you directly unless I couldn't get an answer elsewhere...Thanks

  4. Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)

    On 2006-04-20, RV wrote:
    > Darren Tucker wrote:
    >> Originally, PAM and AIX's native auth system were mutually exclusive
    >> (because no AIX systems had PAM) and so the code is separate.

    [...]
    >> There are several such conflicts where options that were previously
    >> mutually exclusive now aren't, and we have plans to merge these parts
    >> into common sections that will allow better control of the interactions
    >> (or not, as the case may be). Unfortunately this is mildly tricky and
    >> time and resources have not permitted so far.

    >
    > I understand, alot within the AIX auth system has changed since AIX
    > 4.3.3, so I expect it will take some time to get it sorted out and it
    > works just fine I expect for most people. I'm just not most people


    Actually, from an application's point of view the native auth system
    hasn't changed much since AIX 4.3 to 5.3; it's grown a extra arguments
    (loginfailed) and extra bugs (passwdexpired) but it's basically the same.
    It's just that AIX has grown a somewhat parallel system (PAM).

    >> Anyway, you can rebuild sshd to remove the support for AIX's auth
    >> system by editing config.h and removing or commenting out the "#define
    >> WITH_AIXAUTHENTICATE" line and recompiling.
    >>
    >> This will remove *all* support (including lockouts, password expiry and
    >> so on) so you will need to make sure your PAM config takes care of those
    >> (or at least the ones you care about :-).

    > ugh. hmm..I'll have to think about that one. Not too keen on losing that
    > functionality, but then again it would force me to figure out how PAM
    > (on aix) actually works. I'm assuming by your response that it doesn't
    > do anything to verify the user other then make sure they exist?


    It'll still do the things it would do on other platforms (shell exists
    and is executable, DenyUsers and so forth) but without WITH_AIXAUTHENTICATE
    all of the AIX specific stuff will be gone.

    [...]
    >> If you want to keep the native support, I can't think of a way other
    >> than modifying sshd, but it's trivial: find the loginrestrictions()
    >> call in openbsd-compat/port-aix.c and change the S_RLOGIN flag to S_LOGIN.
    >>

    > I had found this somewhere before (likely from you on another mailing
    > list), I tried making the change, but it didn't like it (in port-aix.c)
    > when I tried to compile SSH. I must have fat fingered something. Is this
    > functionally the same as removing the "#define WITH_AIXAUTHENTICATE"?


    No. Changing that flag will leave the AIX specific checks in place, the
    only difference is that sshd will check the "login" attribute instead of
    "rlogin".

    > Thanks Darren, I had been thinking of emailing you directly (as I've
    > been to your nice page on SSH and AIX), but figured I would not bother
    > you directly unless I couldn't get an answer elsewhere...Thanks


    I prefer if people don't email me directly for this kind of thing;
    most of the time I'll just redirect the poster to a public forum anyway.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread