On Tue, 15 Feb 2000, Nick Lamb wrote: > 1. Is this a bug (which will be or has already been fixed in OpenSSH) it's a bug, a feature, and a misconfiguration. The bug is SSH issuing local redirecting connections with root. This was presumably fixed in OpenSSH. The feature allowing to open connections coming from localhost for valid (with a shell) users is a feature, and the misconfiguration is forgetting DenyGroups on users supposing not to be able to log in except e.g. for mail. The real issue is however the common misconception that setting /bin/false to a user shell to prevent it to login while still allowing reading POP mail and FTP is enough to prevent the user from issuing local-issued connections to services. The impact is clear: bypassing firewalling, or hosts.deny. Additionnally it will create fake IDENT (but that's a ssh feature, it seems). > 2. Does PAM provide any immunity? If the user should be locked out > of SSH by PAM (as in the Linux OpenSSH ports) then will this If the user is refused by ssh authentification (be it because it's firewalled, DenyGroupsed, invalid password or PAM), you are safe. Noone we talk about breaking passworded accounts.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:39 PDT