3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds

Edgar, Bob Bob.Edgar at commerzbankib.com
Tue Nov 18 23:47:25 EST 2003

It works for the "yes" case but not for the "without-password" case.
The function that checks (auth_root_allowed(auth_method) is special
cased for "password". The Pam case sends "keyboard-interactive/pam"
which like all other authentication methods except password succeeds.

Here is a patch to make it work for me. Please feel free to criticize
as appropriate.


diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c
--- openssh-3.7.1p2-vanilla/auth.c      Tue Sep  2 23:32:46 2003
+++ openssh-3.7.1p2/auth.c      Mon Nov 17 20:32:45 2003
@@ -315,7 +315,8 @@
                return 1;
        case PERMIT_NO_PASSWD:
-               if (strcmp(method, "password") != 0)
+               if (strcmp(method, "password") != 0
+                && strcmp(method, "keyboard-interactive/pam") != 0)
                        return 1;
        case PERMIT_FORCED_ONLY:
diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c
--- openssh-3.7.1p2-vanilla/monitor.c   Tue Sep  2 23:32:46 2003
+++ openssh-3.7.1p2/monitor.c   Mon Nov 17 20:32:33 2003
@@ -306,7 +306,7 @@
                                authenticated = 0;
 #ifdef USE_PAM
                        /* PAM needs to perform account checks after auth */
-                       if (options.use_pam) {
+                       if (authenticated && options.use_pam) {
                                Buffer m;

-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org]
Sent: Dienstag, 18. November 2003 00:50
To: Edgar, Bob
Cc: openssh-unix-dev at mindrot.org
Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus

Edgar, Bob wrote:

> What all of the above means in terms of OpenSSH is that
> PasswordAuthentication will not function and that UsePAM is required.
> While this functions properly for normal users it has one very negative
> security implication with respect to root logins:  PermitRootLogin is
> not respected when UsePAM is in effect. I submit that ignoring the 
> PermitRootLogin directive is counter intuitive and that doing so opens
> a serious security hole for the unwary. As this behavior is documented
> it can be considered a feature but I would like to propose that this
> decision be revisited in light of the above.

What is the problem with PermitRootLogin and UsePAM=yes? It works fine
for me.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: root.patch
Type: application/octet-stream
Size: 847 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031118/90586e6c/attachment.obj 

More information about the openssh-unix-dev mailing list