[9225] in bugtraq
Re: SSH 1.x and 2.x Daemon
daemon@ATHENA.MIT.EDU (Linux Mailing Lists)
Tue Jan 26 13:17:29 1999
Date: Mon, 25 Jan 1999 20:40:09 +0100
Reply-To: Linux Mailing Lists <linux@AIIND.UPV.ES>
From: Linux Mailing Lists <linux@AIIND.UPV.ES>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990124143930.A3308@best.com>
Hello,
> > There seems to be incomplete code in the SSH daemon in both versions 1.2.27
> > and 2.0.11 (only tested). The bug simply allows users who with expired
> > accounts (in /etc/shadow) to continue to login even though other such
> > services such as ftp and telnet deny access. Here is the log using 1.2.27
> > (but the same happens with 2.0.11).
>
> This is not the case with ssh 1.1.26 running on FreeBSD 2.2.8
> If I expire an account:
> Expire [month day year]: January 1, 1999
> Then when I try to ssh in I just get:
> Permission denied.
There's a configure parameter to use the "usual" /bin/login program
instead of the login procedure implemented with ssh:
--with-login[=PATH] Use login -f to finish login connections.
On one hand, a possible fix (temporal, of course) is to compile sshd with
support for /bin/login. The features of the shadow-suite will be back.
On the other hand, SSH 1.2.26 seems to implement the expiration date of
accounts (grep expire sshd.c), but I don't know if it does it ok.
Greetings,
Sergio
