Please login or register. December 15, 2018, 09:44:57 PM

Author Topic: opessh install fails if /bin/false is not an allowed shell  (Read 4684 times)

0 Members and 1 Guest are viewing this topic.

henkwiedig

  • Registered
  • *
  • Posts: 1
  • Karma: +0/-0
opessh install fails if /bin/false is not an allowed shell
« on: October 16, 2015, 06:18:00 AM »
Code: [Select]
aixtools.openbsd.openssh.rte.pre_i[32]: shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd,/usr/bin/tcsh,/bin/tcsh,/u
sr/bin/bash,/bin/bash,/bin/false: syntax error
Usage: chsec -f file -s stanza -a "attr=value" ...
User "sshd" does not exist.
Check "/etc/security/login.cfg" file.
Error changing "shell" to "/bin/false" : Value is invalid.
aixtools.openbsd.openssh.rte.pre_i[31]: shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin
/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd,/usr/bin/tcsh,/bin/tcsh,/u
sr/bin/bash,/bin/bash,/bin/false: syntax error
Usage: chsec -f file -s stanza -a "attr=value" ...
User "sshd" does not exist.
Check "/etc/security/login.cfg" file.
Error changing "shell" to "/bin/false" : Value is invalid.

Problem with line aixtools.openbsd.openssh.rte.pre_i.
Code: [Select]
let shells="${shells},/bin/false"Does not work
as well
Code: [Select]
chsec ...has wrong syntax at least for aix 7.1


Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1101
  • Karma: +0/-0
Re: opessh install fails if /bin/false is not an allowed shell
« Reply #1 on: October 16, 2015, 06:40:20 AM »
Thanks. I'll test the script again - on AIX 7.1 - and see what is happening. - or not.

You did not say which fileset-version, so I shall assume 6.9p1 aka 6.9.0.1601
« Last Edit: October 16, 2015, 07:03:43 AM by Michael »

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1101
  • Karma: +0/-0
Re: opessh install fails if /bin/false is not an allowed shell
« Reply #2 on: October 16, 2015, 06:51:40 AM »
I found why it has always succeeded for me - my fb_script has already modified the default shells!

I remove a lot more than what I mention here (#5): http://www.ibmsystemsmag.com/Blogs/SecuringAIX/January-2015/Things-To-Have-Done-Early-in-2015/

Code: [Select]
root@x072:[/]grep -p usw: /etc/security/login.cfg 
usw:
        shells = /bin/ksh,/bin/ksh93,/usr/bin/ksh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/bin/false                                                                                               
        maxlogins = 32767
        logintimeout = 60
        maxroles = 8
        auth_type = STD_AUTH
        pwd_algorithm = ssha512
        unix_passwd_compat = true
And so - I see why I missed the error. I set bin/false as part of my fb_script! (I get rid of what I consider nonsense shells at the start) - which reminds me, I should also make a config script for bash to add bash to the shells.

Update:

So, since I already have /bin/false I never tested my bad syntax.

Bad:
Code: [Select]
[[ ! -z ${VERBOSE} ]] && \
print -- "+-----OpenSSH Pre-Install Verification: Start---------------------------------+"
shells=`lssec -f /etc/security/login.cfg -s usw -a shells | awk -F= ' { print $2 } '`
print $shells | grep "/bin/false" >/dev/null
hasFalse=$?

# add /bin/false to list of shells so sshd can never get a shell prompt, even via su
if [[ $hasFalse -ne 0 ]]; then
        let shells="${shells},/bin/false"
        chsec -f /etc/security/login.cfg -s usw -a shells ${shells}
fi

Should be:
...

if [[ $hasFalse -ne 0 ]]; then
        eval shells="${shells},/bin/false"
        chsec -f /etc/security/login.cfg -s usw -a shells ${shells}
fi

[/code]

If you add /bin/false to your shells, the package should install without an issue. I'll have a new package (as 6.9.1.1601 - to keep the 1601 synonymous with OpenBSD "p1" (p is 16th letter of alphabet).
« Last Edit: October 16, 2015, 07:08:29 AM by Michael »

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1101
  • Karma: +0/-0
Re: opessh install fails if /bin/false is not an allowed shell
« Reply #3 on: October 16, 2015, 08:03:50 AM »
Code: [Select]
# grep -p usw: /etc/security/login.cfg         
usw:
        shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd
        maxlogins = 32767
        logintimeout = 60
        maxroles = 8
        auth_type = STD_AUTH

#

# installp -d . -a aixtools.openbsd.openssh.rte
Code: [Select]
+-----------------------------------------------------------------------------+
                    Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...

WARNINGS
--------
  Problems described in this section are not likely to be the source of any
  immediate or serious failures, but further actions may be necessary or
  desired.

  Conflicting Versions of Filesets
  --------------------------------
  The following filesets are conflicting versions of filesets for which there
  are multiple versions on the installation media.  Since a specific version
  was not selected, the newest installable version has been selected.

    aixtools.openbsd.openssh.rte 6.8.0.1601   # 1525 0625 1338
    aixtools.openbsd.openssh.rte 6.9.0.1601   # 1537 0917 0928

  << End of Warning Section >>

SUCCESSES
---------
  Filesets listed in this section passed pre-installation verification
  and will be installed.

  Selected Filesets
  -----------------
  aixtools.openbsd.openssh.rte 7.1.0.1601     # 1537 0917 1039

  << End of Success Section >>

+-----------------------------------------------------------------------------+
                   BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS
------------------
    1  Selected to be installed, of which:
        1  Passed pre-installation verification
  ----
    1  Total to be installed

+-----------------------------------------------------------------------------+
                         Installing Software...
+-----------------------------------------------------------------------------+

installp:  APPLYING software for:
        aixtools.openbsd.openssh.rte 7.1.0.1601

Code: [Select]
aixtools.openbsd.openssh.rte.pre_i[32]: shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/bin/false: 0403-057 Syntax error
Usage: chsec -f file -s stanza -a "attr=value" ...
3004-703 Check "/etc/security/login.cfg" file.
3004-692 Error changing "shell" to "/bin/false" : Value is invalid.
aixtools.openbsd.openssh.rte.pre_i[31]: shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/bin/false: 0403-057 Syntax error
Usage: chsec -f file -s stanza -a "attr=value" ...
3004-703 Check "/etc/security/login.cfg" file.
3004-692 Error changing "shell" to "/bin/false" : Value is invalid.
FYI there are two errors
    the let syntax - which should be eval - that defines shells as '0'
    and the chsec command syntax - -a shells $shells needs to be -a shells=$shells

Code: [Select]
+-------OpenSSH CONFIG Checking for Ciphers and KeyExchanges -----------------+
Creating host keys if required.
/var/openssh/etc/ssh_host_key already exists, skipping.
/var/openssh/etc/ssh_host_dsa_key already exists, skipping.
/var/openssh/etc/ssh_host_rsa_key already exists, skipping.
Generating public/private ecdsa key pair.
Your identification has been saved in /var/openssh/etc/ssh_host_ecdsa_key.
Your public key has been saved in /var/openssh/etc/ssh_host_ecdsa_key.pub.
The key fingerprint is:
SHA256:O+8Jhv8UnEi9HFRMj08xbCuEDGVRtgKdo0TQhwwuI1I root@x070.home.local
The key's randomart image is:
+---[ECDSA 256]---+
|  E   o*+*=O=.o  |
| .   .  ==B.o+oo |
|. . o ...o+oo.o. |
| . . o ..+ =.o.  |
|        S *  ..  |
|       . . .     |
|      . = .      |
|       o = .     |
|        .o=      |
+----[SHA256]-----+
Generating public/private ed25519 key pair.
Your identification has been saved in /var/openssh/etc/ssh_host_ed25519_key.
Your public key has been saved in /var/openssh/etc/ssh_host_ed25519_key.pub.
The key fingerprint is:
SHA256:D7T2eMtX5TidFm4uxo41CSoiNMa1EMOpOpjb9HArusE root@x070.home.local
The key's randomart image is:
+--[ED25519 256]--+
|  .o.            |
|   oo            |
|  .. .  .        |
| .. o .. .     ..|
|o. = .  S  .  .=o|
|* = o  . =. . ==o|
|.E = o ...+ .=+. |
|..o + . .o .++.. |
|oo .      ooo..  |
+----[SHA256]-----+
Code: [Select]
0513-044 The sshd Subsystem was requested to stop.
0513-071 The sshd Subsystem has been added.
0513-059 The sshd Subsystem has been started. Subsystem PID is 5636156.
Finished processing all filesets.  (Total time:  2 secs).
Code: [Select]
+-----------------------------------------------------------------------------+
                                Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
aixtools.openbsd.openssh.rt 7.1.0.1601      USR         APPLY       SUCCESS   
aixtools.openbsd.openssh.rt 7.1.0.1601      ROOT        APPLY       SUCCESS   
#

So, even though the script pre_i (pre_install) did not succeed everywhere - the user sshd does exist (because
the AIX version of openssh is installed I expect - as it was on my system).

Your new configuration files are in /var/openssh/etc - just in case you had missed that!

The patched versions - 6.8.1.1601, 6.9.1.1601 and 7.1.1601 will show up soon.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1101
  • Karma: +0/-0
Re: opessh install fails if /bin/false is not an allowed shell
« Reply #4 on: October 16, 2015, 08:30:22 AM »
Patched: notice the uninstall swaps you back to the old AIX sshd first!

Code: [Select]
# installp -u aixtools.openbsd.openssh
+-----------------------------------------------------------------------------+
                    Pre-deinstall Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...

SUCCESSES
---------
  Filesets listed in this section passed pre-deinstall verification
  and will be removed.

  Selected Filesets
  -----------------
  aixtools.openbsd.openssh.rte 7.1.0.1601     # 1537 0917 1039

  << End of Success Section >>

FILESET STATISTICS
------------------
    1  Selected to be deinstalled, of which:
        1  Passed pre-deinstall verification
  ----
    1  Total to be deinstalled

+-----------------------------------------------------------------------------+
                           Deinstalling Software...
+-----------------------------------------------------------------------------+

installp:  DEINSTALLING software for:
        aixtools.openbsd.openssh.rte 7.1.0.1601

0513-044 The sshd Subsystem was requested to stop.
Note: the following 'uninstall' part of the openbsd.openssh is to restore and restart the AIX openssh autostart - if it was, and still is, on the system.
Code: [Select]
x ./etc/rc.d/rc2.d/Ksshd
x ./etc/rc.d/rc2.d/Ssshd
0513-071 The sshd Subsystem has been added.
0513-059 The sshd Subsystem has been started. Subsystem PID is 5636160.
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Finished processing all filesets.  (Total time:  1 secs).

+-----------------------------------------------------------------------------+
                                Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
aixtools.openbsd.openssh.rt 7.1.0.1601      ROOT        DEINSTALL   SUCCESS   
aixtools.openbsd.openssh.rt 7.1.0.1601      USR         DEINSTALL   SUCCESS   
#
And now install the new version
Code: [Select]
# inutoc .
# installp -d . aixtools.openbsd.openssh.rte
installp:  No action was indicated.
        The -a (apply) flag is being assumed.
+-----------------------------------------------------------------------------+
                    Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...

WARNINGS
--------
  Problems described in this section are not likely to be the source of any
  immediate or serious failures, but further actions may be necessary or
  desired.

  Conflicting Versions of Filesets
  --------------------------------
  The following filesets are conflicting versions of filesets for which there
  are multiple versions on the installation media.  Since a specific version
  was not selected, the newest installable version has been selected.

    aixtools.openbsd.openssh.rte 6.8.0.1601   # 1525 0625 1338
    aixtools.openbsd.openssh.rte 7.1.0.1601   # 1537 0917 1039
    aixtools.openbsd.openssh.rte 6.8.1.1601   # 1541 1016 0754
    aixtools.openbsd.openssh.rte 6.9.1.1601   # 1541 1016 0753
    aixtools.openbsd.openssh.rte 6.9.0.1601   # 1537 0917 0928

  << End of Warning Section >>

SUCCESSES
---------
  Filesets listed in this section passed pre-installation verification
  and will be installed.

  Selected Filesets
  -----------------
  aixtools.openbsd.openssh.rte 7.1.1.1601     # 1541 1016 0755

  << End of Success Section >>

+-----------------------------------------------------------------------------+
                   BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS
------------------
    1  Selected to be installed, of which:
        1  Passed pre-installation verification
  ----
    1  Total to be installed

+-----------------------------------------------------------------------------+
                         Installing Software...
+-----------------------------------------------------------------------------+

installp:  APPLYING software for:
        aixtools.openbsd.openssh.rte 7.1.1.1601

+-------OpenSSH CONFIG Checking for Ciphers and KeyExchanges -----------------+
Creating host keys if required.
/var/openssh/etc/ssh_host_key already exists, skipping.
/var/openssh/etc/ssh_host_dsa_key already exists, skipping.
/var/openssh/etc/ssh_host_rsa_key already exists, skipping.
/var/openssh/etc/ssh_host_ecdsa_key already exists, skipping.
/var/openssh/etc/ssh_host_ed25519_key already exists, skipping.
And stop the AIX sshd, and reactivate the new openbsd openssh

0
Code: [Select]
513-044 The sshd Subsystem was requested to stop.
0513-071 The sshd Subsystem has been added.
0513-059 The sshd Subsystem has been started. Subsystem PID is 5636162.
Finished processing all filesets.  (Total time:  2 secs).

+-----------------------------------------------------------------------------+
                                Summaries:
+-----------------------------------------------------------------------------+

Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
aixtools.openbsd.openssh.rt 7.1.1.1601      USR         APPLY       SUCCESS   
aixtools.openbsd.openssh.rt 7.1.1.1601      ROOT        APPLY       SUCCESS   

And now the sshd user is modified - as desired

Code: [Select]
# lsuser -a id shell sshd
sshd id=202 shell=/bin/false
#

Be sure to review that the setting in /var/openssh/etc/sshd_config suit your needs. There is also a copy of the new defaults - so you can compare your current settings with the default config from OpenBSD.