Re: SSH 1.x and 2.x Daemon

From: Jan B. Koum (jkbat_private)
Date: Sun Jan 24 1999 - 14:39:30 PST

Next message: Lucky Green: "Re: Microsoft Critical Updater Security"

Previous message: Drazen Kacar: "Re: IE4 Persistent Connection Bug"
Maybe in reply to: KuRuPTioN: "SSH 1.x and 2.x Daemon"
Next in thread: Yutaka OIWA: "Re: SSH 1.x and 2.x Daemon"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        This is not the case with ssh 1.1.26 running on FreeBSD 2.2.8
        If I expire an account:
        Expire [month day year]: January 1, 1999
        Then when I try to ssh in I just get:
        Permission denied.

-- Yan

On Sat, Jan 23, 1999 at 05:06:44PM -0500, KuRuPTioN <kuruptionat_private> wrote:
> There seems to be incomplete code in the SSH daemon in both versions 1.2.27
> and 2.0.11 (only tested).  The bug simply allows users who with expired
> accounts (in /etc/shadow) to continue to login even though other such
> services such as ftp and telnet deny access.  Here is the log using 1.2.27
> (but the same happens with 2.0.11).
>
> [root@epicenter /etc]# chage -l lamer
> Minimum:        3
> Maximum:        30
> Warning:        5
> Inactive:       -1
> Last Change:            Jan 01, 1999
> Password Expires:       Jan 31, 1999
> Password Inactive:      Never
> Account Expires:        Jan 22, 1999
> [root@epicenter /etc]# date
> Sat Jan 23 13:57:51 PST 1999
> [root@epicenter /etc]# telnet localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> login: lamer
> Password:
> Your account has expired.  Please contact the system administrator.
> Connection closed by foreign host.
> [root@epicenter /etc]# ssh1 -l lamer localhost
> lamerat_private's password:
> No mail.
> (lamer@epicenter) lamer>
>
> .......
>
> Now I wanted to try whether the account expiration worked using SSH, and it
> does.  If a user's password has expired, then SSH will prompt following the
> login for the user to enter a new password and disconnect them if they fail
> to (like a telnet would).
>
> I have reported this problem to the SSH bug e-mail address about 2 weeks ago
> with no response.
>
> Current System Configuration:
> Linux 2.0.36
> Shadow Utilities 980724
> SSH 1.2.27 and 2.0.11 (both daemons)
>
> Any solutions (patch?) to this problem would be appreciated.  Currently I
> just run a shell script to change the user's shell to deny them, but this
> shouldn't be necessary since this is one of the listed features of the
> Shadow Utilities.
>
> Thanks.
> Raymond T Sundland

Next message: Lucky Green: "Re: Microsoft Critical Updater Security"
Previous message: Drazen Kacar: "Re: IE4 Persistent Connection Bug"
Maybe in reply to: KuRuPTioN: "SSH 1.x and 2.x Daemon"
Next in thread: Yutaka OIWA: "Re: SSH 1.x and 2.x Daemon"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:37 PDT