[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 27 14:48:39 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From dtucker at zip.com.au  2005-01-27 14:48 -------
(In reply to comment #0)
> Also, the following code in auth-password.c
> 
>  #ifndef HAVE_CYGWIN
>    if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
>            ok = 0;
>  #endif
> 
> seems to prevent the auth.c:auth_root_allowed() routine from ever being
> called, meaning that the following log line in auth.c doesn't get called:
> 
>     logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
> 
> When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
> gets run properly.

The problem with changing this is that the "ROOT LOGIN REFUSED" message is only
supposed to appear when root authenticated successfully but was denied by
sshd_config.

To deal with potential information leaks (ie bug #971), in the case of an
invalid login, sshd will trash the user's response before handing it back to
PAM, so that PAM behaves the same way for these cases:
 - password wrong
 - password right but denied by sshd_config (PermitRootLogin, AllowUsers etc).

Because of this, sshd will never know if the credentials the user supplied are
valid, which means that it can either log *every* attempt or *none*, but it can
no longer log only the ones that were denied by sshd_config.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list