Re: SSH 1.x and 2.x Daemon

[jr () SCMS RGU AC UK (John RIddoch)]

> Furthermore, if the account is disabled in /etc/passwd and a user logs in
> via a public key, they are still allowed access.  (So just diabling a user
> account is not enough anymore.  You have to look for uses of public keys as
> well.)

You get the same effect if a user has ~/.rhosts file using rsh/rlogin

> This may not exist in the 2.x series (I have not tested it there), but it
> does occur in the 1.2.x series.  (I have not tested the latest version on
> this...)
>
> I would verify the above before panic, but I have seen it occur under one
> such install of 1.2.x.  (I will have to look up the version.  The drive was
> removed soon after due to hacker d00dz.)

I can verify that using keys and ssh-agent under ssh-2.0.11 (Sparc Solaris
2.6) allows login if the (NIS) account has been disabled.

However, this is no less or greater a problem than the .rhosts file.  There
are tools to detect for .rhosts files in disabled accounts; perhaps the
writers of those scripts might be able to add a check for public keys under
ssh?

--
John Riddoch    Email: jr () scms rgu ac uk     Telephone: (01224)262730
Room C4, School of Computer and Mathematical Science
Robert Gordon University, Aberdeen, AB25 1HG
"Yoda of Borg are we:  Futile is resistance.  Assimilate you, we will"