ssh & C2 security on Digital Unix from lombardi emanuele on 1998-10-27 (tru64-unix-managers)

From: lombardi emanuele <lele_at_mantegna.casaccia.enea.it>
Date: Mon, 26 Oct 1998 15:37:59 +0100 (MET)

Dear ssh-ers and axp managers,

I'm using ssh 1.2.25 on Digital unix 4.0d (patch 2) machines with
enhanced (C2) security.

I setup the system (using dxaccounts) so that interactive users have a
default nice value of 5 since I want to privilege batch jobs.
Each time a users logs in via telnet or rsh he is given a nice of 5 to
the shell and to all of its sub-processes.

Due to obvious security problems I'm trying to compell my users to use
ssh but I noticed that ...

... using ssh to login instead of telnet/rsh results in shells which
have NOT the nice value set to 5 but it is always left to 0. And, of
course, all the user-started process have the 0 nice value.

This is NOT what I need since I want all the user be given the 5 nice
reguardless the way they log in.

Any suggestion about that?

BTW the ssh logins are NOT seen by auditd as login events and that
is misleading when looking for users accesses.

Again: any suggestion?

Thanks from italy,
Emanuele

P.S. after my signature is the log of ssh configure

-- 
 Emanuele Lombardi
 mail:  AMB-GEM-CLIM ENEA Casaccia
        I-00060 S.M. di Galeria (RM)  ITALY
 mailto:lele_at_mantegna.casaccia.enea.it
 tel	+39 6 30483366 fax	+39 6 30483591
     This transmission was made possible by 100% recycled electrons.
loading cache ./config.cache
checking host system type... alpha-dec-osf4.0
checking cached information... (cached) ok
checking for gcc... (cached) gcc
checking whether the C compiler (gcc  ) works... yes
checking whether the C compiler (gcc  ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for POSIXized ISC... no
checking for set_auth_parameters in -lsecurity... (cached) yes
checking for audgen in -laud... (cached) yes
checking for dbopen in -ldb... (cached) yes
checking for sin in -lm... (cached) yes
checking for setluid... (cached) yes
checking for getespwnam... (cached) yes
checking for locked_out_es... (cached) yes
checking for time_lock... (cached) yes
checking for OSF/1 C2 security package... yes
checking that the compiler works... yes
checking if the compiler understands -pipe... no
checking whether to enable -Wall... no
checking return type of signal handlers... (cached) void
checking how to run the C preprocessor... (cached) gcc -E
checking for ANSI C header files... (cached) yes
checking for size_t... (cached) yes
checking for uid_t in sys/types.h... (cached) yes
checking for off_t... (cached) yes
checking for mode_t... (cached) yes
checking for st_blksize in struct stat... (cached) yes
checking for working const... (cached) yes
checking for inline... (cached) inline
checking whether byte ordering is bigendian... (cached) no
checking size of long... (cached) 8
checking size of int... (cached) 4
checking size of short... (cached) 2
checking for termios.h... (cached) yes
checking for ANSI C header files... (cached) yes
checking for sys/wait.h that is POSIX.1 compatible... (cached) yes
checking for unistd.h... (cached) yes
checking for rusage.h... (cached) no
checking for sys/time.h... (cached) yes
checking for lastlog.h... (cached) yes
checking for utmp.h... (cached) yes
checking for shadow.h... (cached) no
checking for sgtty.h... (cached) yes
checking for sys/select.h... (cached) yes
checking for sys/ioctl.h... (cached) yes
checking for machine/endian.h... (cached) yes
checking for paths.h... (cached) yes
checking for usersec.h... (cached) no
checking for utime.h... (cached) yes
checking for netinet/in_systm.h... (cached) yes
checking for netinet/in_system.h... (cached) no
checking for netinet/ip.h... (cached) yes
checking for netinet/tcp.h... (cached) yes
checking for ulimit.h... (cached) yes
checking for sys/resource.h... (cached) yes
checking for login_cap.h... (cached) no
checking whether time.h and sys/time.h may both be included... (cached) yes
checking for dirent.h that defines DIR... (cached) yes
checking for opendir in -ldir... (cached) no
checking whether stat file-mode macros are broken... (cached) no
checking whether utmp have ut_pid field... yes
checking whether utmp have ut_name field... no
checking whether utmp have ut_id field... yes
checking whether utmp have ut_host field... yes
checking whether utmp have ut_addr field... no
checking whether you have incompatible SIGINFO macro... no
checking for crypt in -lc... (cached) yes
checking for getspnam in -lsec... (cached) no
checking for get_process_stats in -lseq... (cached) no
checking for bcopy in -lbsd... (cached) yes
checking for main in -lnsl... (cached) no
checking for socket in -lsocket... (cached) no
checking for getpwnam in -lsun... (cached) no
checking for openpty in -lbsd... (cached) yes
checking for login in -lutil... (cached) yes
checking for vhangup... (cached) no
checking for setsid... (cached) yes
checking for gettimeofday... (cached) yes
checking for times... (cached) yes
checking for getrusage... (cached) yes
checking for ftruncate... (cached) yes
checking for revoke... (cached) yes
checking for makeutx... (cached) no
checking for strchr... (cached) yes
checking for memcpy... (cached) yes
checking for setlogin... (cached) yes
checking for openpty... (cached) yes
checking for _getpty... (cached) no
checking for clock... (cached) yes
checking for fchmod... (cached) yes
checking for ulimit... (cached) yes
checking for gethostname... (cached) yes
checking for getdtablesize... (cached) yes
checking for umask... (cached) yes
checking for innetgr... (cached) yes
checking for initgroups... (cached) yes
checking for setpgrp... (cached) yes
checking for setpgid... (cached) yes
checking for daemon... (cached) yes
checking for waitpid... (cached) yes
checking for ttyslot... (cached) yes
checking for authenticate... (cached) no
checking for strerror... (cached) yes
checking for memmove... (cached) yes
checking for remove... (cached) yes
checking for random... (cached) yes
checking for putenv... (cached) yes
checking for crypt... (cached) yes
checking for socketpair... (cached) yes
checking whether ln -s works... (cached) yes
checking for a BSD compatible install... (cached) /usr/bin/installbsd -c
checking for ar... (cached) ar
checking for ranlib... (cached) ranlib
checking for makedepend... (cached) makedepend
checking for X... (cached) libraries , headers 
checking for dnet_ntoa in -ldnet... (cached) no
checking for dnet_ntoa in -ldnet_stub... (cached) yes
checking for gethostbyname... (cached) yes
checking for connect... (cached) yes
checking for remove... (cached) yes
checking for shmat... (cached) yes
checking for IceConnectionNumber in -lICE... (cached) yes
checking for xauth... (cached) /usr/bin/X11/xauth
checking for X11 unix domain socket directory... /tmp/.X11-unix
checking for perl5... no
checking for perl... /usr/bin/perl
checking for getpseudotty... (cached) no
checking for pseudo ttys... streams ptys
checking for /etc/default/login... no
checking for shadow passwords... no
checking location of mail spool files... /var/spool/mail
checking location of utmp... /var/adm/utmp
checking location of wtmp... /var/adm/wtmp
checking location of lastlog... /var/adm/lastlog
checking whether /var/adm/lastlog is a directory... no
checking whether to include the IDEA encryption algorithm... yes
checking whether to include the Blowfish encryption algorithm... yes
checking whether to include the DES encryption algorithm... no
checking whether to include the ARCFOUR encryption algorithm... no
checking whether to include the none encryption algorithm... no
checking whether to use login... no
checking whether to use rsh... yes
checking for remsh... (cached) /usr/bin/rsh
checking default path... use system default
checking etcdir... /etc
checking whether to use nologin.allow file to override nologin... no
checking whether to support SecurID... no
checking whether to support TIS authentication server... no
checking whether to use Kerberos... no
checking whether to enable passing the Kerberos TGT... no
checking whether to use libwrap... yes
checking whether to support SOCKS... no
checking whether to support SOCKS5... no
checking whether to support SOCKS4... no
checking whether to use rsaref... no
checking whether to allow group writeability... no
checking whether to disable forwardings in server... no
checking whether to disable forwardings in client... no
checking whether to disable X11 forwarding in server... no
checking whether to disable X11 forwarding in client... no
checking whether to install ssh as suid root... yes
checking whether to enable TCP_NODELAY... yes
checking whether to enable SO_LINGER... no
checking whether to enable scp statistics... yes
checking where to put sshd.pid... /var/run
creating ./config.status
creating Makefile
creating sshd.8
creating ssh.1
creating make-ssh-known-hosts.1
creating zlib-1.0.4/Makefile
creating config.h
configuring in gmp-2.0.2-ssh-2
running /bin/sh ./configure  --prefix=/sicurezza --with-libwrap=/sicurezza/tcp_wrapper --cache-file=.././config.
cache --srcdir=.
loading cache .././config.cache
checking for a BSD compatible install... (cached) /usr/bin/installbsd -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... (cached) yes
checking for working aclocal... found
checking for working autoconf... found
checking for working automake... found
checking for working autoheader... found
checking for working makeinfo... found
checking host system type... alpha-dec-osf4.0
checking cached information... (cached) ok
checking for gcc... (cached) gcc
checking whether the C compiler (gcc -g -O2 ) works... yes
checking whether the C compiler (gcc -g -O2 ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for working const... (cached) yes
checking for inline... (cached) inline
checking how to run the C preprocessor... (cached) gcc -E
checking for ANSI C header files... (cached) yes
checking whether ln -s works... (cached) yes
checking for ranlib... (cached) ranlib
checking whether make sets ${MAKE}... (cached) yes
checking for a BSD compatible install... /usr/bin/installbsd -c
checking for random... (cached) yes
checking size of int... (cached) 4
checking for working alloca.h... (cached) yes
checking for alloca... (cached) yes
checking whether underscore gets prepended in C function names... (cached) no
checking asm code... (cached) ok
checking asm links... (cached) done
checking asm sources... (cached) done
checking asm objects... (cached) done
checking asm syntax... (cached) default
checking asm syntax header... (cached) 
checking for gmp-mparam.h... (cached) .././mpn/alpha/gmp-mparam.h
checking other objs... (cached) done
checking other sources... (cached) done
checking other links... (cached) done
checking links to mpz sources in mpbsd... done
creating ./config.status
creating Makefile
creating demos/Makefile
creating mpbsd/Makefile
creating mpf/Makefile
creating mpf/tests/Makefile
creating mpn/Makefile
creating mpn/tests/Makefile
creating mpq/Makefile
creating mpq/tests/Makefile
creating mpz/Makefile
creating mpz/tests/Makefile

Received on Mon Oct 26 1998 - 14:41:15 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:38 NZDT