[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jan 27 14:48:39 EST 2005
http://bugzilla.mindrot.org/show_bug.cgi?id=701
------- Additional Comments From dtucker at zip.com.au 2005-01-27 14:48 -------
(In reply to comment #0)
> Also, the following code in auth-password.c
>
> #ifndef HAVE_CYGWIN
> if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
> ok = 0;
> #endif
>
> seems to prevent the auth.c:auth_root_allowed() routine from ever being
> called, meaning that the following log line in auth.c doesn't get called:
>
> logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
>
> When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
> gets run properly.
The problem with changing this is that the "ROOT LOGIN REFUSED" message is only
supposed to appear when root authenticated successfully but was denied by
sshd_config.
To deal with potential information leaks (ie bug #971), in the case of an
invalid login, sshd will trash the user's response before handing it back to
PAM, so that PAM behaves the same way for these cases:
- password wrong
- password right but denied by sshd_config (PermitRootLogin, AllowUsers etc).
Because of this, sshd will never know if the credentials the user supplied are
valid, which means that it can either log *every* attempt or *none*, but it can
no longer log only the ones that were denied by sshd_config.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list