This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---439393530-1362609918-917299440=:6265 Content-Type: TEXT/PLAIN; charset=US-ASCII On Sat, 23 Jan 1999, KuRuPTioN wrote: > There seems to be incomplete code in the SSH daemon in both versions 1.2.27 > and 2.0.11 (only tested). The bug simply allows users who with expired > accounts (in /etc/shadow) to continue to login even though other such > services such as ftp and telnet deny access. Here is the log using 1.2.27 > (but the same happens with 2.0.11). Hi, I had emailed them about this and here is the response: ________________ >From kivinenat_private Mon Jan 25 14:14:45 1998 Date: Tue, 7 Jul 1998 22:38:08 +0300 (EET DST) From: Tero Kivinen <kivinenat_private> To: Jim Bourne <jbourneat_private> Subject: ssh on linux Jim Bourne writes: > I've been playing with SSH on my home system, and found a problem with > compiling it under Linux 2.0.33 (redhat 4.2 in this case). Since shadow > support can be turned on fairly easily (pwconv5) and the struct spwd does > include shadow aging and expiry information, I thought it would be better to > have these turned on when using autoconf. Linux shadow password maintainer said earlier that we must turn off shadow password checking and always use the shadow password functions, just so that you can turn shadow password on later. Currently the configure.in checks that if we are in linux and we have getspnam function then we turn shadow password on always, and otherwise we don't turn it on. So I didn't remove that no_shadows_password_checking=yes line from the configure. [snip] -- kivinenat_private Work : +358-9-4354 3218 SSH Communications Security http://www.ssh.fi/ SSH IPSEC Toolkit http://www.ssh.fi/ipsec/ ---------------------- They do know that it does work under Linux and choose to leave it out. > Any solutions (patch?) to this problem would be appreciated. Currently I > just run a shell script to change the user's shell to deny them, but this > shouldn't be necessary since this is one of the listed features of the > Shadow Utilities. I have attached a patch, that simply checks for the presence of shadow passwords and sets the appropriate defines. It does work on Linux 2.0.37pre and redhat 5.1/5.2. You will have to have autoconf and re-run it to build a new configure script. Regards Jim > > Thanks. > Raymond T Sundland > -- -- James Bourne | Email: jbourne@affinity-systems.ab.ca Affinity Systems Inc. | WWW: http://www.affinity-systems.ab.ca Everything Unix | Linux: The choice of a GNU generation ---------------------------------------------------------------------- Unix System Administration, System programming, Network Administration ---439393530-1362609918-917299440=:6265 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ssh-1.2.26-expiry.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.04.9901251424000.6265at_private-systems.ab.ca> Content-Description: Expiry Patch Content-Disposition: attachment; filename="ssh-1.2.26-expiry.patch" ZGlmZiAtcnVOIHNzaC0xLjIuMjYub3JpZy9jb25maWcuaC5pbiBzc2gtMS4y LjI2L2NvbmZpZy5oLmluDQotLS0gc3NoLTEuMi4yNi5vcmlnL2NvbmZpZy5o LmluCVR1ZSBOb3YgIDMgMDk6MTE6MTYgMTk5OA0KKysrIHNzaC0xLjIuMjYv Y29uZmlnLmguaW4JVHVlIE5vdiAgMyAwOTowODo0MyAxOTk4DQpAQCAtMTIz LDYgKzEyMyw5IEBADQogLyogRGVmaW5lIHRoaXMgdG8gYmUgdGhlIHBhdGgg b2YgdGhlIHJzaCBwcm9ncmFtIHRvIHN1cHBvcnQgZXhlY3V0aW5nIHJzaC4g Ki8NCiAjdW5kZWYgUlNIX1BBVEgNCiANCisvKiBEZWZpbmUgdGhpcyB0byBi ZSB0aGUgcGF0aCB0byB0aGUgcGFzc3dkIHByb2dyYW0gKi8NCisjdW5kZWYg UEFTU1dEX1BBVEgNCisNCiAvKiBEZWZpbmUgdGhpcyB0byBiZSB0aGUgcGF0 aCBvZiB0aGUgeGF1dGggcHJvZ3JhbS4gKi8NCiAjdW5kZWYgWEFVVEhfUEFU SA0KIA0KZGlmZiAtcnVOIHNzaC0xLjIuMjYub3JpZy9jb25maWd1cmUuaW4g c3NoLTEuMi4yNi9jb25maWd1cmUuaW4NCi0tLSBzc2gtMS4yLjI2Lm9yaWcv Y29uZmlndXJlLmluCVR1ZSBOb3YgIDMgMDk6MTE6MTYgMTk5OA0KKysrIHNz aC0xLjIuMjYvY29uZmlndXJlLmluCVR1ZSBOb3YgIDMgMDk6MDg6NDMgMTk5 OA0KQEAgLTIwMCw3ICsyMDAsNiBAQA0KICAgICBpZiB0ZXN0ICRhY19jdl9m dW5jX2dldHNwbmFtID0geWVzOyB0aGVuDQogICAgICAgQUNfREVGSU5FKEhB VkVfRVRDX1NIQURPVykNCiAgICAgZmkNCi0gICAgbm9fc2hhZG93c19wYXNz d29yZF9jaGVja2luZz15ZXMNCiAgICAgQUNfQ0hFQ0tfRlVOQ1MocHdfZW5j cnlwdCwgcHdlbmNyeXB0PXllcykNCiAgICAgaWYgdGVzdCAkYWNfY3ZfZnVu Y19wd19lbmNyeXB0ID0gbm87IHRoZW4NCiAgICAgICBBQ19DSEVDS19MSUIo c2hhZG93LCBwd19lbmNyeXB0LCBbDQpAQCAtNDU5LDYgKzQ1OCwxMSBAQA0K ICAgQUNfREVGSU5FX1VOUVVPVEVEKFBBU1NXRF9QQVRILCAiJFBBU1NXRF9Q QVRIIikNCiBmaQ0KIA0KK0FDX1BBVEhfUFJPRyhQQVNTV0RfUEFUSCwgcGFz c3dkKQ0KK2lmIHRlc3QgLW4gIiRQQVNTV0RfUEFUSCI7IHRoZW4NCisgIEFD X0RFRklORV9VTlFVT1RFRChQQVNTV0RfUEFUSCwgIiRQQVNTV0RfUEFUSCIp DQorZmkNCisNCiBBQ19QQVRIX1BST0coWEFVVEhfUEFUSCwgeGF1dGgpDQog aWYgdGVzdCAtbiAiJFhBVVRIX1BBVEgiOyB0aGVuDQogICBBQ19ERUZJTkVf VU5RVU9URUQoWEFVVEhfUEFUSCwgIiRYQVVUSF9QQVRIIikNCkBAIC01MzIs NiArNTM2LDcgQEANCiBlbHNlDQogICBBQ19NU0dfUkVTVUxUKG5vKQ0KIGZp DQorDQogDQogaWYgdGVzdCAteiAiJG5vX3NoYWRvd3NfcGFzc3dvcmRfY2hl Y2tpbmciOyB0aGVuDQogICBBQ19NU0dfQ0hFQ0tJTkcoZm9yIHNoYWRvdyBw YXNzd29yZHMpDQo= ---439393530-1362609918-917299440=:6265--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:57 PDT