[Bug 486] New: "PermitRootLogin no" can implicitly reveal root password
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Feb 7 02:46:19 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=486
Summary: "PermitRootLogin no" can implicitly reveal root password
Product: Portable OpenSSH
Version: 3.5p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: security
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: blizzy at blizzy.de
With 3.5p1, when setting "PermitRootLogin no" in /etc/ssh/sshd_config, logging
in as root is disabled, of course.
However, when entering the correct password, ssh prints "Connection reset by
peer" and exits immediately. When entering the wrong password, it will prompt
you again.
I think this qualifies as a security hole, since you can use brute-force tools
to try to login as root. Of course you need to have/hack another account to
actually have the possibility to become root (via su or other means), but at
least you know the password.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list