REQ: Minor change ton handling of without-password
Darren Moffat
Darren.Moffat at eng.sun.com
Thu Nov 1 09:16:21 EST 2001
>OpenSSH 2.9p2 behaves differently with 'PermitRootLogin without-password'
>than does SSH 2.2.27 with 'PermitRootLogin nopwd':
>
>nopython.imorgan 153> ssh root at sun523
>root at sun523's password:
>ROOT LOGIN REFUSED FROM nopython.nas.nasa.gov
>
>nopython.imorgan 154> ssh root at sun566
>root at sun566's password:
>Permission denied.
>
>In the case of OpenSSH, you simply get 'Permission denied' which may lead
>some to incorrectly assume that the issue is a mistyped password.
OpenSSH is more secure in its behaviour since it didn't tell you
that the password was correct so it can't be used as a method to
test possible root passwords and then go and use the root password to
get into the host by another means (eg on the console).
I guess it could be a config option to say how much information is
given out when a login is refused. If you care write the patch to make
it configurable and ask for it to be included.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list