[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSH's {password,account} expirations



heheh well, at least this time you got a reply :)


On Mon, 14 May 2001, Bradley wrote:

> Date: Mon, 14 May 2001 16:00:03 -0500
> From: Bradley <sirmarsh@globalvisionsystems.net>
> To: Brian Poole <raj@cerias.purdue.edu>, tech@openbsd.org
> Subject: Re: OpenSSH's {password,account} expirations
>
> I have no idea man....but im with u on it.
>
>
>
> ----- Original Message -----
> From: "Brian Poole" <raj@cerias.purdue.edu>
> To: <tech@openbsd.org>
> Sent: Monday, May 14, 2001 3:20 PM
> Subject: OpenSSH's {password,account} expirations
>
>
> > Hello all,
> >
> > I added a note on this matter to one of my other emails at some
> > point or another, but I'm going to rehash it again here because
> > no one replied then and I still think it is a problem. If it isn't
> > a problem, I'd like to hear how this can -not- be considered a
> > problem.
> >
> > My problem is this, OpenSSH does not respect account nor password
> > expirations by default (by respect I mean it totally ignores them,
> > it doesn't matter if they are set and have expired). Why?
> >
> > I can only assume that this was done originally in rsh/rlogin in
> > deference of non-interactive accounts which shouldn't be affected
> > by these and then carried over, but I can't see why we do it still,
> > nor why it is the default action.
> >
> > Now agreed, I can use 'UseLogin yes' and my expirations will be heeded,
> > for interactive login sessions. This is OK, but one does still have to
> > ask why is it not default?
> >
> > But wait, there is more.. even when I turn UseLogin to yes, it isn't
> > used all the time (as noted in the man page), so people can still
> > circumvent account restrictions by using non-interactive commands
> > (whether they be shell commands, scp, sftp, whatever). Now, I don't know
> > about anyone else, but if I have set someone's account to expire on
> > May 1st, I don't really want them to be able to still login May 2nd,
> > which they still can, through a little trickery in usage of
> > non-interactive commands. It isn't very hard to sftp up a bindshell
> > and then remotely execute it, thus bypassing the restrictions that
> > are there. Why do we even bother to put in such restrictions if we
> > aren't going to enforce them?
> >
> > Am I alone with this opinion? If it is something to be fixed I would
> > be glad to help, but first I want to know that it would be accepted into
> > the tree, which as it is still standing right now I have to assume it
> > wouldn't be. I would certainly appreciate feedback on the matter.
> >
> > This entire bit probably applies to rsh/rlogin as well, but I'm not
> > nearly as concerned about it as it isn't on by default nor used by
> > myself.
> >
> >
> > -b