Re: SSH 1.x and 2.x Daemon

[jbourne () AFFINITY-SYSTEMS AB CA (Jim Bourne)]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

---439393530-1362609918-917299440=:6265
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Sat, 23 Jan 1999, KuRuPTioN wrote:

> There seems to be incomplete code in the SSH daemon in both versions 1.2.27
> and 2.0.11 (only tested).  The bug simply allows users who with expired
> accounts (in /etc/shadow) to continue to login even though other such
> services such as ftp and telnet deny access.  Here is the log using 1.2.27
> (but the same happens with 2.0.11).

Hi,
I had emailed them about this and here is the response:

________________
> From kivinen () ssh fi Mon Jan 25 14:14:45 1998
Date: Tue, 7 Jul 1998 22:38:08 +0300 (EET DST)
From: Tero Kivinen <kivinen () ssh fi>
To: Jim Bourne <jbourne () island net>
Subject: ssh on linux

Jim Bourne writes:
> I've been playing with SSH on my home system, and found a problem with
> compiling it under Linux 2.0.33 (redhat 4.2 in this case).  Since shadow
> support can be turned on fairly easily (pwconv5) and the struct spwd does
> include shadow aging and expiry information, I thought it would be better to
> have these turned on when using autoconf.

Linux shadow password maintainer said earlier that we must turn off
shadow password checking and always use the shadow password functions,
just so that you can turn shadow password on later. Currently the
configure.in checks that if we are in linux and we have getspnam
function then we turn shadow password on always, and otherwise we
don't turn it on. So I didn't remove that
no_shadows_password_checking=yes line from the configure.

[snip]

--
kivinen () iki fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/
----------------------

They do know that it does work under Linux and choose to leave it out.

> Any solutions (patch?) to this problem would be appreciated.  Currently I
> just run a shell script to change the user's shell to deny them, but this
> shouldn't be necessary since this is one of the listed features of the
> Shadow Utilities.

I have attached a patch, that simply checks for the presence of shadow
passwords and sets the appropriate defines.  It does work on Linux 2.0.37pre
and redhat 5.1/5.2.  You will have to have autoconf and re-run it to build a
new configure script.

Regards
Jim

> Thanks.
> Raymond T Sundland

--

--
James Bourne                  | Email:  jbourne () affinity-systems ab ca
Affinity Systems Inc.         | WWW: http://www.affinity-systems.ab.ca
Everything Unix               | Linux:  The choice of a GNU generation
----------------------------------------------------------------------
Unix System Administration, System programming, Network Administration



---439393530-1362609918-917299440=:6265
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ssh-1.2.26-expiry.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.9901251424000.6265 () cafe affinity-systems ab ca>
Content-Description: Expiry Patch
Content-Disposition: attachment; filename="ssh-1.2.26-expiry.patch"

ZGlmZiAtcnVOIHNzaC0xLjIuMjYub3JpZy9jb25maWcuaC5pbiBzc2gtMS4y
LjI2L2NvbmZpZy5oLmluDQotLS0gc3NoLTEuMi4yNi5vcmlnL2NvbmZpZy5o
LmluCVR1ZSBOb3YgIDMgMDk6MTE6MTYgMTk5OA0KKysrIHNzaC0xLjIuMjYv
Y29uZmlnLmguaW4JVHVlIE5vdiAgMyAwOTowODo0MyAxOTk4DQpAQCAtMTIz
LDYgKzEyMyw5IEBADQogLyogRGVmaW5lIHRoaXMgdG8gYmUgdGhlIHBhdGgg
b2YgdGhlIHJzaCBwcm9ncmFtIHRvIHN1cHBvcnQgZXhlY3V0aW5nIHJzaC4g
Ki8NCiAjdW5kZWYgUlNIX1BBVEgNCiANCisvKiBEZWZpbmUgdGhpcyB0byBi
ZSB0aGUgcGF0aCB0byB0aGUgcGFzc3dkIHByb2dyYW0gKi8NCisjdW5kZWYg
UEFTU1dEX1BBVEgNCisNCiAvKiBEZWZpbmUgdGhpcyB0byBiZSB0aGUgcGF0
aCBvZiB0aGUgeGF1dGggcHJvZ3JhbS4gKi8NCiAjdW5kZWYgWEFVVEhfUEFU
SA0KIA0KZGlmZiAtcnVOIHNzaC0xLjIuMjYub3JpZy9jb25maWd1cmUuaW4g
c3NoLTEuMi4yNi9jb25maWd1cmUuaW4NCi0tLSBzc2gtMS4yLjI2Lm9yaWcv
Y29uZmlndXJlLmluCVR1ZSBOb3YgIDMgMDk6MTE6MTYgMTk5OA0KKysrIHNz
aC0xLjIuMjYvY29uZmlndXJlLmluCVR1ZSBOb3YgIDMgMDk6MDg6NDMgMTk5
OA0KQEAgLTIwMCw3ICsyMDAsNiBAQA0KICAgICBpZiB0ZXN0ICRhY19jdl9m
dW5jX2dldHNwbmFtID0geWVzOyB0aGVuDQogICAgICAgQUNfREVGSU5FKEhB
VkVfRVRDX1NIQURPVykNCiAgICAgZmkNCi0gICAgbm9fc2hhZG93c19wYXNz
d29yZF9jaGVja2luZz15ZXMNCiAgICAgQUNfQ0hFQ0tfRlVOQ1MocHdfZW5j
cnlwdCwgcHdlbmNyeXB0PXllcykNCiAgICAgaWYgdGVzdCAkYWNfY3ZfZnVu
Y19wd19lbmNyeXB0ID0gbm87IHRoZW4NCiAgICAgICBBQ19DSEVDS19MSUIo
c2hhZG93LCBwd19lbmNyeXB0LCBbDQpAQCAtNDU5LDYgKzQ1OCwxMSBAQA0K
ICAgQUNfREVGSU5FX1VOUVVPVEVEKFBBU1NXRF9QQVRILCAiJFBBU1NXRF9Q
QVRIIikNCiBmaQ0KIA0KK0FDX1BBVEhfUFJPRyhQQVNTV0RfUEFUSCwgcGFz
c3dkKQ0KK2lmIHRlc3QgLW4gIiRQQVNTV0RfUEFUSCI7IHRoZW4NCisgIEFD
X0RFRklORV9VTlFVT1RFRChQQVNTV0RfUEFUSCwgIiRQQVNTV0RfUEFUSCIp
DQorZmkNCisNCiBBQ19QQVRIX1BST0coWEFVVEhfUEFUSCwgeGF1dGgpDQog
aWYgdGVzdCAtbiAiJFhBVVRIX1BBVEgiOyB0aGVuDQogICBBQ19ERUZJTkVf
VU5RVU9URUQoWEFVVEhfUEFUSCwgIiRYQVVUSF9QQVRIIikNCkBAIC01MzIs
NiArNTM2LDcgQEANCiBlbHNlDQogICBBQ19NU0dfUkVTVUxUKG5vKQ0KIGZp
DQorDQogDQogaWYgdGVzdCAteiAiJG5vX3NoYWRvd3NfcGFzc3dvcmRfY2hl
Y2tpbmciOyB0aGVuDQogICBBQ19NU0dfQ0hFQ0tJTkcoZm9yIHNoYWRvdyBw
YXNzd29yZHMpDQo=
---439393530-1362609918-917299440=:6265--