OpenSSH allows guessing of root password?
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Thu Feb 17 22:06:18 EST 2000
On Thu, Feb 17, 2000 at 12:30:31PM +0200, Itamar Shtull-Trauring wrote:
> I set sshd to deny root login. But I still get a password prompt! So if I
> get the password right, I get one error message:
>
> Received disconnect: ROOT LOGIN REFUSED FROM example.com
>
> while if I simply put in a wrong password three times I get
>
> Permission denied.
>
> If this means I set it up wrong please mail me directly - I'm not subscribed
> to the list. Otherwise please fix this.
could you please try this:
Index: sshd.c
===================================================================
RCS file: /home/markus/cvs/ssh/sshd.c,v
retrieving revision 1.88
diff -u -p -r1.88 sshd.c
--- sshd.c 2000/02/15 16:52:57 1.88
+++ sshd.c 2000/02/17 11:03:08
@@ -1244,14 +1244,6 @@ do_authentication()
do_authloop(pw);
}
- /* Check if the user is logging in as root and root logins are disallowed. */
- if (pw->pw_uid == 0 && !options.permit_root_login) {
- if (forced_command)
- log("Root login accepted for forced command.");
- else
- packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
- get_canonical_hostname());
- }
/* The user has been authenticated and accepted. */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
@@ -1487,6 +1479,21 @@ do_authloop(struct passwd * pw)
*/
log("Unknown message during authentication: type %d", type);
break;
+ }
+
+ /*
+ * Check if the user is logging in as root and root logins
+ * are disallowed.
+ * Note that root login is allowed for forced commands.
+ */
+ if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) {
+ if (forced_command) {
+ log("Root login accepted for forced command.");
+ } else {
+ authenticated = 0;
+ log("ROOT LOGIN REFUSED FROM %.200s",
+ get_canonical_hostname());
+ }
}
/* Raise logging level */
More information about the openssh-unix-dev
mailing list