OpenSSH allows guessing of root password?

[Markus Friedl]

On Thu, Feb 17, 2000 at 12:30:31PM +0200, Itamar Shtull-Trauring wrote:
> I set sshd to deny root login.  But I still get a password prompt! So if I
> get the password right, I get one error message:
> 
> 	Received disconnect: ROOT LOGIN REFUSED FROM example.com
> 
> while if I simply put in a wrong password three times I get
> 
> 	Permission denied.
> 
> If this means I set it up wrong please mail me directly - I'm not subscribed
> to the list.  Otherwise please fix this.

could you please try this:

Index: sshd.c
===================================================================
RCS file: /home/markus/cvs/ssh/sshd.c,v
retrieving revision 1.88
diff -u -p -r1.88 sshd.c
--- sshd.c	2000/02/15 16:52:57	1.88
+++ sshd.c	2000/02/17 11:03:08
@@ -1244,14 +1244,6 @@ do_authentication()
 		do_authloop(pw);
 	}
 
-	/* Check if the user is logging in as root and root logins are disallowed. */
-	if (pw->pw_uid == 0 && !options.permit_root_login) {
-		if (forced_command)
-			log("Root login accepted for forced command.");
-		else
-			packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
-					  get_canonical_hostname());
-	}
 	/* The user has been authenticated and accepted. */
 	packet_start(SSH_SMSG_SUCCESS);
 	packet_send();
@@ -1487,6 +1479,21 @@ do_authloop(struct passwd * pw)
 			 */
 			log("Unknown message during authentication: type %d", type);
 			break;
+		}
+
+		/*
+		 * Check if the user is logging in as root and root logins
+		 * are disallowed.
+		 * Note that root login is allowed for forced commands.
+		 */
+		if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) {
+			if (forced_command) {
+				log("Root login accepted for forced command.");
+			} else {
+				authenticated = 0;
+				log("ROOT LOGIN REFUSED FROM %.200s",
+				    get_canonical_hostname());
+			}
 		}
 
 		/* Raise logging level */