PermitRootLogin=forced-commands-only does not work with UsePrivilegeSeparation=yes
Rodolfo Cossalter
rcoss at dm.uba.ar
Tue Aug 13 08:58:57 EST 2002
Using openssh-3.4p1 on Linux I noticed that PermitRootLogin=forced-commands-only
does not work if UsePrivilegeSeparation is enabled; but it does work if privsep
is disabled.
Here are excerpts of debug from the server.
-----------UsePrivilegeSeparation DISABLED-------
...
Found matching DSA key: 56:9d:72:b0:4f:67:2e:ed:06:e7:41:03:e2:86:52:0d^M
debug1: restore_uid^M
debug1: ssh_dss_verify: signature correct^M
(*) debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss^M
(*) Root login accepted for forced command.^M
debug2: pam_acct_mgmt() = 0^M
Accepted publickey for root from xx.xx.xx.xx port 1091 ssh2^M
debug1: Entering interactive session for SSH2.^M
debug1: fd 5 setting O_NONBLOCK^M
debug1: fd 9 setting O_NONBLOCK^M
debug1: server_init_dispatch_20^M
debug1: server_input_channel_open: ctype session rchan 0 win 131072 max 32768^M
debug1: input_session_request^M
debug1: channel 0: new [server-session]^M
debug1: session_new: init^M
debug1: session_new: session 0^M
debug1: session_open: channel 0^M
debug1: session_open: session 0: link with channel 0^M
debug1: server_input_channel_open: confirm session^M
debug1: server_input_channel_req: channel 0 request shell reply 0^M
debug1: session_by_channel: session 0 channel 0^M
debug1: session_input_channel_req: session 0 req shell^M
debug1: Forced command '/etc/zzzz'^M
debug1: PAM establishing creds^M
...
----------------------------------
-----------UsePrivilegeSeparation ENABLED-------
...
Found matching DSA key: 56:9d:72:b0:4f:67:2e:ed:06:e7:41:03:e2:86:52:0d^M
debug1: restore_uid^M
debug3: mm_answer_keyallowed: key 0x8112760 is allowed^M
debug3: mm_append_debug: Appending debug messages for child^M
debug3: mm_request_send entering: type 21^M
debug3: mm_request_receive entering^M
debug3: mm_send_debug: Sending debug: Forced command: /etc/zzzz^M
debug3: mm_key_verify entering^M
debug3: mm_request_send entering: type 22^M
debug3: monitor_read: checking request 22^M
debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY^M
debug3: mm_request_receive_expect entering: type 23^M
debug3: mm_request_receive entering^M
debug1: ssh_dss_verify: signature correct^M
debug3: mm_answer_keyverify: key 0x8113808 signature verified^M
debug3: mm_request_send entering: type 23^M
(*) Root login accepted for forced command.^M
(*) debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss^M
ROOT LOGIN REFUSED FROM xx.xx.xx.xx^M
Failed publickey for root from xx.xx.xx.xx port 1094 ssh2^M
debug2: pam_acct_mgmt() = 0^M
Accepted publickey for root from xx.xx.xx.xx port 1094 ssh2^M
debug1: monitor_child_preauth: root has been authenticated by privileged process^M
debug3: mm_get_keystate: Waiting for new keys^M
debug3: mm_request_receive_expect entering: type 24^M
debug3: mm_request_receive entering^M
debug1: userauth-request for user root service ssh-connection method password^M
debug1: attempt 3 failures 2^M
debug2: input_userauth_request: try method password^M
debug3: mm_auth_password entering^M
debug3: mm_request_send entering: type 10^M
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD^M
debug3: mm_request_receive_expect entering: type 11^M
debug3: mm_request_receive entering^M
mm_request_receive_expect: read: rtype 10 != type 24^M
debug1: Calling cleanup 0x8052c70(0x0)^M
debug1: Calling cleanup 0x80697a8(0x0)^M
debug1: Calling cleanup 0x80697a8(0x0)^M
-----------------
Notice the swapping of lines marked (*)
Any ideas?
Rodolfo Cossalter
Universidad de Buenos Aires
More information about the openssh-unix-dev
mailing list