Re: Configuring OpenSSH-3.5p1 on Tru64

[Jeremy Anderson <jsa.sf () 2monkeys org>]

On Sat, 8 Mar 2003, Asif Munir wrote:

> Hi,
>
> I am currently in the process of configuring OpenSSH-3.5p1 on a number of
> Tru64 Unix machines.  The versions vary from 4.0d all the way to 5.1a.  I
> set up OpenSSH on my local workstation running Tru64 5.1a the problem I seem
> to be facing is with regards the 'UsePrivilegeSeperation,' option in the
> sshd_config file.  If I leave it as the default setting 'yes,' then I get
> the following error message, 'sshd: /var/tcb/files/_db_lock_share:
> Permission denied,'  when logging in with other than root.  If I then change
> the value to 'no,' I get a successful normal user connection.
>
> Previously I was getting another message 'cannot set login uid error,'  this
> was occurring when I was trying to login with other than root and the
> 'UsePrivilegeSeperation,' value was set to 'yes.'  I can't remember what I
> changed to start getting a permission denied error.  Because I am still
> testing, this issue is not so critical.  According to the what I have read
> the 'UsePrivilegeSeperation,' should be set to 'yes,' so as to avoid the
> possibility of privilege escalation.
>
> Is there anyone who has configured OpenSSH-3.5p1 on Tru64 with the
> 'UsePrivlilegeSeperation' set to 'yes' ?  Or this not so important ?

I have never been able to get UsePriviledgeSeperation to work under Tru64.
The environment I am in is one where we have a small group of trusted
users on a physically isolated network which doesn't have Internet access,
so it was decided that this was a risk we could live with.  If you are not
in an equally protected environment, you may want to work with the code a
little more and tell us how it works out.

> Also is there an issue with using C2 and OpenSSH ??

I would say no, but that's not true.  There ARE issues of omission (i.e.
overly liberal access to systems).  OpenSSH does not use the getprpwent()
functions to validate users, relying instead on the legacy getpwent()
functions.  As such, some things which are supposed to be forbidden (i.e.
copying files from a locked account) may be permitted.  FWIW, I just
tested this on a 5.1 box and it worked as intended (i.e. locked accounts
would not allow scp or rsh-like access) but I would advise a through audit
because I clearly remember having access issues on some of our backrev'd
machines (i.e. 4.0f).

Another note:  OpenSSH DOES have some support for getprpwent() functions
if the HAVE_SECUREWARE function is defined in config.h.  For reasons I do
not understand, this is not used in Tru64 at all, and cannot be defined
with a flag to configure.  You may want to try configuring this definition
in, to see if this makes matters better or worse.

> I would be very grateful for any help or suggestions.
>
> Regards,
> Asif