Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SSH authentication order on AIX

from [Lamon, Frank III] Network Security [Permanent Link]
Subject: SSH authentication order on AIX
Date: Sun, 27 Jul 2008 10:48:46 -0400 

I'm trying to get to the bottom of an issue with key authentication on
AIX and I'm not sure I believe IBM's answer so I thought I'd post here
to see what answer I'd get from the SSH side.

We have three different methods of authentication - local, VAS (AD),
NIS. On our Linux and Solaris servers it's very simple to set the
authentication order with nsswitch.conf and SSH follows that order on
those systems without any issues - even with key-authentication. On AIX
however if we use key-authentication it always hits NIS before VAS. IBM
is telling us that it is because that's how SSH works and we keep trying
to tell them that it doesn't work like that anywhere else - only on AIX.
It's my understanding that SHH will authenticate in the order
established by the OS and not vice-versa - is this thinking correct? 

We have workarounds for the issue, but we'd like to have IBM own up to
what we perceive as a flaw in their authentication model instead of
blaming it on how SSH works.

Here is the latest from their developers:

"Discussed about the SSH design.
As we are copying the public key in the /home/(user). So in this case
authentication is done by the SSH Server. But in case of password
authenticationNIS server or VAS server is doing the authentication.
Therefore in the password case it is able to differentiate between NIS
and VAS user.
But  in case of Public Key Authentication it is first taking the NIS
user and then server is doing the authentication.
So it is not able to differentiate  between the two users in case of
PUBLIC KEY AUTHENTICATION."

My belief is even with key-authentication SSH still has to have the user
account validated by the OS and that the order in which this validation
will occur is determined by the OS not the SSH server. At least this is
what happens on our other operating systems - we can switch the
authentication order and it will authenticate to which ever option is
first.

Thanks,
Frank LaMon

-----------------------------------------
This email transmission and any accompanying attachments may
contain CSX privileged and confidential information intended only
for the use of the intended addressee.  Any dissemination,
distribution, copying or action taken in reliance on the contents
of this email by anyone other than the intended recipient is
strictly prohibited.  If you have received this email in error
please immediately delete it and  notify sender at the above CSX
email address.  Sender and CSX accept no liability for any damage
caused directly or indirectly by receipt of this email.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SSH authentication order on AIX, Lamon, Frank III <=
Previous by Date:  RE: dispatch_protocol_error, Dewey Hylton
Next by Date:  SSH sessions from some clients are dropped under Solaris 8, Oliver Weinmann
Previous by Thread:  dispatch_protocol_error, Dewey Hylton
Next by Thread:  SSH sessions from some clients are dropped under Solaris 8, Oliver Weinmann
Indexes:  [Date] [Thread] [Top] [All Lists]