3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds

Dan Yefimov dan at D00M.integrate.com.ru
Wed Nov 19 01:46:08 EST 2003 

On Tue, 18 Nov 2003, Edgar, Bob wrote:

> It works for the "yes" case but not for the "without-password" case.
> The function that checks (auth_root_allowed(auth_method) is special
> cased for "password". The Pam case sends "keyboard-interactive/pam"
> which like all other authentication methods except password succeeds.
> 
> Here is a patch to make it work for me. Please feel free to criticize
> as appropriate.
> 
This patch will actually disable ANY type of root authentication made with PAM, 
regardless of whether it is a password-based or something other. Instead of 
patching OpenSSH you could configure PAM with line as follows (true at least for 
Linux-PAM):

auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers

This line should be inserted before reference to any other module of type 'auth' 
that performs actual authentication. The file /etc/ssh/denyusers should contain 
the only line containing 'root'. For other platforms using PAM other module 
providing the like functionality could be used.

> bob
> 
> diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c
> --- openssh-3.7.1p2-vanilla/auth.c      Tue Sep  2 23:32:46 2003
> +++ openssh-3.7.1p2/auth.c      Mon Nov 17 20:32:45 2003
> @@ -315,7 +315,8 @@
>                 return 1;
>                 break;
>         case PERMIT_NO_PASSWD:
> -               if (strcmp(method, "password") != 0)
> +               if (strcmp(method, "password") != 0
> +                && strcmp(method, "keyboard-interactive/pam") != 0)
>                         return 1;
>                 break;
>         case PERMIT_FORCED_ONLY:
> diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c
> --- openssh-3.7.1p2-vanilla/monitor.c   Tue Sep  2 23:32:46 2003
> +++ openssh-3.7.1p2/monitor.c   Mon Nov 17 20:32:33 2003
> @@ -306,7 +306,7 @@
>                                 authenticated = 0;
>  #ifdef USE_PAM
>                         /* PAM needs to perform account checks after auth */
> -                       if (options.use_pam) {
> +                       if (authenticated && options.use_pam) {
>                                 Buffer m;
>  
>                                 buffer_init(&m);
> 
> 
> 
> -----Original Message-----
> From: Damien Miller [mailto:djm at mindrot.org]
> Sent: Dienstag, 18. November 2003 00:50
> To: Edgar, Bob
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus
> passwords
> 
> 
> Edgar, Bob wrote:
> 
> > What all of the above means in terms of OpenSSH is that
> > PasswordAuthentication will not function and that UsePAM is required.
> > While this functions properly for normal users it has one very negative
> > security implication with respect to root logins:  PermitRootLogin is
> > not respected when UsePAM is in effect. I submit that ignoring the 
> > PermitRootLogin directive is counter intuitive and that doing so opens
> > a serious security hole for the unwary. As this behavior is documented
> > it can be considered a feature but I would like to propose that this
> > decision be revisited in light of the above.
> 
> What is the problem with PermitRootLogin and UsePAM=yes? It works fine
> for me.
> 
-- 

    Sincerely Your, Dan.

More information about the openssh-unix-dev mailing list