From owner-freebsd-ports Thu Mar 14 15:10:15 2002 Delivered-To: freebsd-ports@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2875837B419 for ; Thu, 14 Mar 2002 15:10:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2ENA2842529; Thu, 14 Mar 2002 15:10:02 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D9F2137B41A for ; Thu, 14 Mar 2002 15:08:15 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2EN8F542306; Thu, 14 Mar 2002 15:08:15 -0800 (PST) (envelope-from nobody) Message-Id: <200203142308.g2EN8F542306@freefall.freebsd.org> Date: Thu, 14 Mar 2002 15:08:15 -0800 (PST) From: John-David Childs To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: ports/35904: OpenSSH ports (both) appear to ignore limits in /etc/login.conf unless UseLogin is set Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 35904 >Category: ports >Synopsis: OpenSSH ports (both) appear to ignore limits in /etc/login.conf unless UseLogin is set >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 14 15:10:02 PST 2002 >Closed-Date: >Last-Modified: >Originator: John-David Childs >Release: 4.5-RELEASE >Organization: Enterprise Internet Solutions >Environment: FreeBSD taliacyn 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sun Feb 10 17:56:42 MST 2002 jchilds@taliacyn.digitalglobe.com:/usr/obj/usr/src/sys/TALIACYN i386 >Description: The openssh 3.1p1_1 (portable) and openssh-3.1_3 ports do not examine /etc/login.conf for restrictions such as ttys.{allow,deny}, unless UseLogin is set on in /etc/ssh/sshd_config. This directive has been exploited in the past, and is now turned off by default. >How-To-Repeat: Set up a class with a tty restriction. Created user in that class, and verified with "pw usershow -P". Installed "non-portable" (aka native) OpenSSH port. Killed existing sshd and started OpenSSH "/usr/local/sbin/sshd -f /etc/ssh/sshd_config". Attempted SSH into box, and logged in successfully. Rinse. Lather. Repeat with OpenSSH portable. Finally, tried with "native" SSHD (no changes to /etc/ssh/sshd_config) and it worked. >Fix: These lines from the native SSH session.c (/usr/src/crypto/openssh/session.c) seem to be the key! #ifdef HAVE_LOGIN_CAP if (!auth_ttyok(lc, s->tty)) { (void)printf("Permission denied.\n"); log( "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", pw->pw_name, get_remote_name_or_ip(utmp_len, options.reverse_mapping_check), s->tty); exit(254); } #endif /* HAVE_LOGIN_CAP */ >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message