× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. September 2006

problematic ssh deployment

Hello,
I would like to share with you the results of deploying ssh on a 5.4 iseries
server.

IBM's web site, the redbook "Securing Communications with OpenSSH on IBM
i5/OS" and Bob Bittner's article on server applications explain how to set
up sshd service on the iSeries.
http://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html
http://www.redbooks.ibm.com/redpapers/pdfs/redp4163.pdf
http://www-03.ibm.com/servers/enable/site/education/wp/7f4a/7f4a.pdf

OK, now that I have sshd merrily running on my iSeries, what does it mean to
the server's security?

1. Client software to connect to the sshd service is freely available.
SSH clients exist  for all platforms, including the iSeries.
In windows we have command line ssh clients in distributions like
WinOpenSSH, and windows oriented tools like Putty.
All distros include tools for interactive remote login and remote comand,
and for secure copying of files.
On the iSeries, the client tools include ssh (remote sessions and remote
command), scp (secure copy of a single file) and sftp (secure replacement
for ftp).


2. All iSeries users who have a valid password can log into the server using
an ssh client, from anywhere in the local network.
The SSH daemon supports restrictions on QSECOFR (root) and on who can or
can't use this service.
However, the default configuration file allows root login by this directive
#PermitRootLogin yes

The default configuration also does not have any AllowUsers, AllowGroups,
DenyUsers or DenyGroups.
In fact, it does not even contain traces for these directives, leaving the
clueless iSeries admin to search unix man pages for information about ssh
security.




3. The ssh client can be used to execute system commands.
SSH presents the user with a unix-style console running in PASE that bears
little resemblance to the regular 5250 telnet screen.
However, many iSeries native commands can be executed by the "system" tool.
For example, to create a library just execute
system "crtlib mylib text('my library')"



4. SSH can be used to access and modify iSeries data.
sftp can retrieve any file ftp can, but it does not convert it from EBCDIC
to ASCII.
I am sure that a dedicated hacker can write his own conversion program, but
it is not really necessary.
The qsh, qsh_out and qsh_inout tools mediate between the standard ASCII
format used by PASE and between EBCDIC.
If you "touch" a text file, then do "setccsid" on it to an ascii codepage,
and then use the qshell "db2"  utility with redirection to this file, any
database can be accessed, dumped to the text file and retrieved by sftp.
The same "db2" utility can be used to update, insert and delete data, and to
create triggers, stored procedures, views etc.



5. SSH does not respect the Limit Capability attribute of the user profile.
No, it does not.



6. SSH has no registered exit point APIs.
Therefore, your trusted and reliable exit program based security application
is simply bypassed when ssh is used.



7. SSH has no integration with iSeries logging and auditing.
It works only with syslog to capture its events, and no events (except for
password failure) are logged anywhere in the native iSeries logging and
auditing applications.




8. SSH port forwarding may allow unauthorized remote access
SSH port forwarding and its implications are explained in these articles
http://www.securityfocus.com/infocus/1816
http://www.informit.com/articles/article.asp?p=471099&rl=1

http://www.informit.com/articles/article.asp?p=602977&rl=1







If you already use ssh in your iSeries shop, or if you plan to use ssh, then
plan carefully and be aware of the possible implications.



Shalom Carmel
-------------------
www.hackingiseries.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.