Hi,
here I am to better explain what i wrote in my previous message
concerning ssh & Digital Unix 4.0d & Enhanced Security (C2)
I ment to say that if you use ssh to login into a C2 machine you of
course succed and have proper X11 forwarding,
...BUT ...
1) you have NOT the usual C2 messages:
Last successful login for lele: Tue Oct 27 17:09:28 1998 from 192.107.71.51
Last unsuccessful login for lele: Tue Oct 27 12:09:53 1998 on ttyp8
2) you have not given the proper C2 characteristics like
LOGIN RESTRICTIONS
a) NICE value
LOGIN RESOURCES
a) Maximum core size
b) Maximum file size
c) Maximum data segment
d) Maximum address space
e) maximum stack segment
f) Maximum process size
and others as they have been assigned to you using dxaccounts.
3) your login is NOT logged by auditd with all the other telnets
and logins. Only a SEC_SETLUID (3) request is audited.
Apart that I succesfully use both sshd1 & sshd2 and I know they let you
login into C2 envirnoments and they do proper X11 forwarding.
The topic of my previous messages was that I found out that sshd1
doesn't properly do X11 forwarding WHEN you compile it telling it to use
/usr/bin/login.
. ./configure --with-login=/usr/bin/login
In this case all the C2 characteristics are used and properly set, but
X11 forwarding is broken. Thanks to John Speno <speno_at_isc.upenn.edu>
now I know why this happens:
> ...But there are problems opening X11 connections: I'm not any more
> able to open them !!
>
> X11 connection rejected because of wrong authentication at Tue Oct 27 17:00:36 1998.
When you have sshd "use login", it will not (and can't) set up the X11
forwarding stuff for you.
This is because sshd performs a setuid to the uid of the person who is
logging in before running the 'xauth' command which sets up your
.Xauthority file.
However, only root can run '/usr/bin/login' with the -f flag.
How can sshd safely run xauth as you, then become root and run login?
The current code can't do this. I thought about it, and it could
'fork and exec' a child process to do the xauth stuff. Good luck.
I'm now submitting the question to SSH developers hoping they will have
time to spend on it. (Unfortunately I'm not a C programmer nor I know
sshd well enough to make the patch myself)
Any help from axp-ist e/o ssh-ers will still be apreciated of course !
Greetings from Italy
Emanuele
--
Emanuele Lombardi
mail: AMB-GEM-CLIM ENEA Casaccia
I-00060 S.M. di Galeria (RM) ITALY
mailto:lele_at_mantegna.casaccia.enea.it
tel +39 6 30483366 fax +39 6 30483591
This transmission was made possible by 100% recycled electrons.
Received on Wed Oct 28 1998 - 08:47:14 NZDT