[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSH's {password,account} expirations

I have no idea man....but im with u on it. 

----- Original Message ----- 
From: "Brian Poole" <raj@cerias.purdue.edu>
To: <tech@openbsd.org>
Sent: Monday, May 14, 2001 3:20 PM
Subject: OpenSSH's {password,account} expirations

> Hello all,
> I added a note on this matter to one of my other emails at some
> point or another, but I'm going to rehash it again here because
> no one replied then and I still think it is a problem. If it isn't
> a problem, I'd like to hear how this can -not- be considered a 
> problem.
> My problem is this, OpenSSH does not respect account nor password
> expirations by default (by respect I mean it totally ignores them,
> it doesn't matter if they are set and have expired). Why? 
> I can only assume that this was done originally in rsh/rlogin in 
> deference of non-interactive accounts which shouldn't be affected
> by these and then carried over, but I can't see why we do it still, 
> nor why it is the default action. 
> Now agreed, I can use 'UseLogin yes' and my expirations will be heeded,
> for interactive login sessions. This is OK, but one does still have to
> ask why is it not default?
> But wait, there is more.. even when I turn UseLogin to yes, it isn't
> used all the time (as noted in the man page), so people can still 
> circumvent account restrictions by using non-interactive commands
> (whether they be shell commands, scp, sftp, whatever). Now, I don't know
> about anyone else, but if I have set someone's account to expire on
> May 1st, I don't really want them to be able to still login May 2nd,
> which they still can, through a little trickery in usage of 
> non-interactive commands. It isn't very hard to sftp up a bindshell
> and then remotely execute it, thus bypassing the restrictions that
> are there. Why do we even bother to put in such restrictions if we 
> aren't going to enforce them?
> Am I alone with this opinion? If it is something to be fixed I would
> be glad to help, but first I want to know that it would be accepted into
> the tree, which as it is still standing right now I have to assume it
> wouldn't be. I would certainly appreciate feedback on the matter.
> This entire bit probably applies to rsh/rlogin as well, but I'm not 
> nearly as concerned about it as it isn't on by default nor used by 
> myself.
> -b