Topic
3 replies Latest Post - ‏2013-09-16T12:20:39Z by Zahni
Zahni
Zahni
16 Posts
ACCEPTED ANSWER

Pinned topic Security problem on Windows with IBM SSH Server

‏2013-09-04T13:51:51Z |

Hi,

I found an unexpected security problem with the IBM SSH Server on Windows  ( DB2 10.5 ).

The problem: The server allows at default all user to connect with full "Windows"- rights. Using WinSCP ( or other tools ),an connected user can manipulate all files on that server. I don't tried to execute malicious programs.

How can we Windows-Admins (and why must be) configure this thing ?   The IBM SSH is mostly undocumented at DB2 10.5 info center.

( meanwhile, If found a way to limit it to local Windows-Admins but, this is not the point)

The "old" admin server (DAS) does a better job at default.

And again: No  Windows Server needs an SSH server. All admin tasks can be executed using Windows RPC calls.

Regards,

Zahni

 

  • LukeNumrych
    LukeNumrych
    88 Posts
    ACCEPTED ANSWER

    Re: Security problem on Windows with IBM SSH Server

    ‏2013-09-12T19:10:00Z  in response to Zahni

    As far as I can tell, IBM Secure Shell Server for Windows (ibmsshd) is based on OpenSSH.  There is a sshd_config config file in C:\ProgramData\IBM\ibmssh\etc\ssh that ought to work like the OpenSSH version of it.  I wrote ought_to, because in the prolog of the file I see this:

    # Current release of IBM Secure Shell Service is configurable 
    # with the following options while the rest are informational only:
    # Configurable options:
    # 1. Port
    # 2. AddressFamily 
    # 3. LogLevel
    # 4. ListenAddress
    # 5. UseDNS
    # 6. LoginGraceTime
    # 7. ClientAliveCountMax
    # 8. ClientAliveInterval
    # 9. Compression

    ...which does not include any options to limit user rights.

    BTW, I agree with you on the SSH requirement in Windows, but this horse is probably quite thoroughly dead, and will not be coming back to life.

  • LukeNumrych
    LukeNumrych
    88 Posts
    ACCEPTED ANSWER

    Re: Security problem on Windows with IBM SSH Server

    ‏2013-09-13T19:27:17Z  in response to Zahni

    Just had to install a 10.1.2 server, and a thought struck me... the ibmsshd service runs by default under Local System.  Maybe running it under a more restricted user would make it possible to limit what can be done with it?  If I have a chance I will test it and post results.

    • Zahni
      Zahni
      16 Posts
      ACCEPTED ANSWER

      Re: Security problem on Windows with IBM SSH Server

      ‏2013-09-16T12:20:39Z  in response to LukeNumrych

      Hi,

      yes, you can  add

      AllowGroups MyDomain\Domain-Admins

      This will limit the access to Domain admins.

      But, I 'am still had a bad feeling about it.  IBMSSH is disabled for now.

      BTW: you need the SSH-Server  from DB2 10.5 for proper data studio functionality.