3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds

Edgar, Bob Bob.Edgar at commerzbankib.com
Wed Nov 19 02:24:02 EST 2003 

First: yes, the patch disables root login for all PAM. But that's ok.
Why? If "PermitRootLogin yes" is set then the behavior is as before. The
patch gives an admin the choice to block all PAM/root logins (which are
typically normal, plain vanilla, password logins). If more flexibility is
required then the "yes" value will allow the PAM stack to decide.

The PAM solution is clearly an option (thanks!) but not here (and I suspect
many other sites as well). We have several hundred servers that would need
to have a change to the PAM configuration. Sun doesn't supply a PAM module
that supports the functionality required (at least, none that I am aware of)
which means finding one or building one in-house. This option brings with it
the usual risks with any development and is for that reason not attractive.

Darren Tucker's comment about being misleading is, of course, true but I
find
the current state misleading as well but more dangerous. The system admin
has
configured the system and thinks that root logins with password are disabled
but in fact they are not. Yes, as I acknowledged in my first post, it is
documented so it is technically not a bug but this is the real world and I
think the least surprises rule should apply here.

bob

-----Original Message-----
From: Dan Yefimov [mailto:dan at D00M.integrate.com.ru]
Sent: Dienstag, 18. November 2003 15:46
To: Edgar, Bob
Cc: openssh-unix-dev at mindrot.org
Subject: RE: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus
passwor ds


On Tue, 18 Nov 2003, Edgar, Bob wrote:

> It works for the "yes" case but not for the "without-password" case.
> The function that checks (auth_root_allowed(auth_method) is special
> cased for "password". The Pam case sends "keyboard-interactive/pam"
> which like all other authentication methods except password succeeds.
> 
> Here is a patch to make it work for me. Please feel free to criticize
> as appropriate.
> 
This patch will actually disable ANY type of root authentication made with
PAM, 
regardless of whether it is a password-based or something other. Instead of 
patching OpenSSH you could configure PAM with line as follows (true at least
for 
Linux-PAM):

auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers

This line should be inserted before reference to any other module of type
'auth' 
that performs actual authentication. The file /etc/ssh/denyusers should
contain 
the only line containing 'root'. For other platforms using PAM other module 
providing the like functionality could be used.

> bob
> 
> diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c
> --- openssh-3.7.1p2-vanilla/auth.c      Tue Sep  2 23:32:46 2003
> +++ openssh-3.7.1p2/auth.c      Mon Nov 17 20:32:45 2003
> @@ -315,7 +315,8 @@
>                 return 1;
>                 break;
>         case PERMIT_NO_PASSWD:
> -               if (strcmp(method, "password") != 0)
> +               if (strcmp(method, "password") != 0
> +                && strcmp(method, "keyboard-interactive/pam") != 0)
>                         return 1;
>                 break;
>         case PERMIT_FORCED_ONLY:
> diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c
> --- openssh-3.7.1p2-vanilla/monitor.c   Tue Sep  2 23:32:46 2003
> +++ openssh-3.7.1p2/monitor.c   Mon Nov 17 20:32:33 2003
> @@ -306,7 +306,7 @@
>                                 authenticated = 0;
>  #ifdef USE_PAM
>                         /* PAM needs to perform account checks after auth
*/
> -                       if (options.use_pam) {
> +                       if (authenticated && options.use_pam) {
>                                 Buffer m;
>  
>                                 buffer_init(&m);
> 
> 
> 
> -----Original Message-----
> From: Damien Miller [mailto:djm at mindrot.org]
> Sent: Dienstag, 18. November 2003 00:50
> To: Edgar, Bob
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus
> passwords
> 
> 
> Edgar, Bob wrote:
> 
> > What all of the above means in terms of OpenSSH is that
> > PasswordAuthentication will not function and that UsePAM is required.
> > While this functions properly for normal users it has one very negative
> > security implication with respect to root logins:  PermitRootLogin is
> > not respected when UsePAM is in effect. I submit that ignoring the 
> > PermitRootLogin directive is counter intuitive and that doing so opens
> > a serious security hole for the unwary. As this behavior is documented
> > it can be considered a feature but I would like to propose that this
> > decision be revisited in light of the above.
> 
> What is the problem with PermitRootLogin and UsePAM=yes? It works fine
> for me.
> 
-- 

    Sincerely Your, Dan.

More information about the openssh-unix-dev mailing list