[Bug 486] New: "PermitRootLogin no" can implicitly reveal root password
Frank Cusack
fcusack at fcusack.com
Sun Feb 23 12:33:29 EST 2003
Can someone (Markus?) point me to the change which fixes this? Is
there a publically available mailing list archive where CVS logs
can be found?
thx
/fc
On Fri, Feb 07, 2003 at 02:46:19AM +1100, bugzilla-daemon at mindrot.org wrote:
> http://bugzilla.mindrot.org/show_bug.cgi?id=486
>
> Summary: "PermitRootLogin no" can implicitly reveal root password
> Product: Portable OpenSSH
> Version: 3.5p1
> Platform: All
> OS/Version: Linux
> Status: NEW
> Severity: security
> Priority: P2
> Component: sshd
> AssignedTo: openssh-unix-dev at mindrot.org
> ReportedBy: blizzy at blizzy.de
>
>
> With 3.5p1, when setting "PermitRootLogin no" in /etc/ssh/sshd_config, logging
> in as root is disabled, of course.
>
> However, when entering the correct password, ssh prints "Connection reset by
> peer" and exits immediately. When entering the wrong password, it will prompt
> you again.
>
> I think this qualifies as a security hole, since you can use brute-force tools
> to try to login as root. Of course you need to have/hack another account to
> actually have the possibility to become root (via su or other means), but at
> least you know the password.
>
>
>
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list