3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds

Dan Yefimov dan at D00M.integrate.com.ru
Wed Nov 19 02:54:41 EST 2003

On Tue, 18 Nov 2003, Edgar, Bob wrote:

> First: yes, the patch disables root login for all PAM. But that's ok.
> Why? If "PermitRootLogin yes" is set then the behavior is as before. The
> patch gives an admin the choice to block all PAM/root logins (which are
> typically normal, plain vanilla, password logins). If more flexibility is
> required then the "yes" value will allow the PAM stack to decide.
> The PAM solution is clearly an option (thanks!) but not here (and I suspect
> many other sites as well). We have several hundred servers that would need
> to have a change to the PAM configuration. Sun doesn't supply a PAM module
> that supports the functionality required (at least, none that I am aware of)
> which means finding one or building one in-house. This option brings with it
> the usual risks with any development and is for that reason not attractive.
> Darren Tucker's comment about being misleading is, of course, true but I
> find
> the current state misleading as well but more dangerous. The system admin
> has
> configured the system and thinks that root logins with password are disabled
> but in fact they are not. Yes, as I acknowledged in my first post, it is
> documented so it is technically not a bug but this is the real world and I
> think the least surprises rule should apply here.
The current state is in no case misleading. As it was already meantioned by 
Damien Miller, 'PermitRootLogin no' setting is honoured. 'PermitRootLogin 
without-password' disables password authentication as such for root. But PAM is 
used only if challenge-response authentication is enabled. And it is 
'PermitRootLogin without-password' disabling challenge-response authentication 
that is misleading. 'PermitRootLogin pubkey-only' or AllowedRootAuthMethods 
options suggested by Darren Tucker would be the more appropriate general 
solutions here.

    Sincerely Your, Dan.

More information about the openssh-unix-dev mailing list