Re: More request for help: Logging on to a disabled account

Fri, 24 Sep 1999 07:53:25 -0700 

On Thu, 23 Sep 1999, Kyu Lee wrote:

  > Since I did not get much response on the subject, I hope you
  > don't mind me reposting it, with one additional question.
  > 
  > As I stated earlier (see below), even to a disabled account
  > you can login via ssh, and that's the problem I am trying to
  > solve.
  > 
  > The reason is this.  Because I don't have usersec.h (what is it?),
  > HAVE_USERSEC_H stays undefined.  Therefore, the section that
  > checks the password expiration is never executed.
  > 
  > 1) Where does usersec.h come from?
  > 2) Supposing no one has usersec.h, is there a way of aging 
  >    passphrase to test?
  > 3) Any other insights?

Did you say this was a Digital UNIX box you are trying to build ssh on?
If so, are you using DEC's own compiler (cc) or gcc?  Can you provide the
log of your 'configure' run?  Are you setting the "with-login" flag for
configure?

  > 
  > TIA
  > 
  > ------------------------------
  > Kyu Y. Lee
  > Solveris, Inc.
  > (425) 485-4357 X250
  > [EMAIL PROTECTED]
  > 
  > 
  > -----Original Message-----
  > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kyu
  > Lee
  > Sent: Wednesday, September 22, 1999 6:46 PM
  > To: [EMAIL PROTECTED]
  > Subject: Logging on to a disabled account
  > 
  > 
  > I've just installed ssh-1.2.27,  sshd on HUPUX 10.20, and test ssh on
  > Digital UNIX V4.0E  (Rev. 1091).
  > 
  > When I age the password (that is to force expiration) on the server, I
  > cannot login to the server with rlogin or login. That is expected.
  > 
  > However, I can still ssh to the server from a client to a user ID that is
  > disabled. This is not what I expected.
  > 
  > Upon examination of the source code, I noticed that the password expiration
  > test is done in a section of sshd.c when HAVE_USERSEC_H is defined.
  > HAVE_USERSEC_H is defined if a header file <usersec.h> is available, which
  > is not. config.h.in has it undefined.
  > 
  > Do I interpret it correctly? Besides, what good is it if one can login to
  > the server back-door (via ssh) when the account is disabled?
  > 
  > I would appreciate any thoughts on this dilemma.
  > 
  > Thank you in advance
  > 
  > 

-----------------------------------------------------------------------
Toni Harbaugh-Blackford                     [EMAIL PROTECTED]
AlphaServer 8400 System Administrator
SAIC/NCI Frederick Biomedical Supercomputing Center

Reply via email to