3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds

[Dan Yefimov]

On Tue, 18 Nov 2003, Edgar, Bob wrote:

> First: yes, the patch disables root login for all PAM. But that's ok.
> Why? If "PermitRootLogin yes" is set then the behavior is as before. The
> patch gives an admin the choice to block all PAM/root logins (which are
> typically normal, plain vanilla, password logins). If more flexibility is
> required then the "yes" value will allow the PAM stack to decide.
> 
> The PAM solution is clearly an option (thanks!) but not here (and I suspect
> many other sites as well). We have several hundred servers that would need
> to have a change to the PAM configuration. Sun doesn't supply a PAM module
> that supports the functionality required (at least, none that I am aware of)
> which means finding one or building one in-house. This option brings with it
> the usual risks with any development and is for that reason not attractive.
> 
> Darren Tucker's comment about being misleading is, of course, true but I
> find
> the current state misleading as well but more dangerous. The system admin
> has
> configured the system and thinks that root logins with password are disabled
> but in fact they are not. Yes, as I acknowledged in my first post, it is
> documented so it is technically not a bug but this is the real world and I
> think the least surprises rule should apply here.
> 
The current state is in no case misleading. As it was already meantioned by 
Damien Miller, 'PermitRootLogin no' setting is honoured. 'PermitRootLogin 
without-password' disables password authentication as such for root. But PAM is 
used only if challenge-response authentication is enabled. And it is 
'PermitRootLogin without-password' disabling challenge-response authentication 
that is misleading. 'PermitRootLogin pubkey-only' or AllowedRootAuthMethods 
options suggested by Darren Tucker would be the more appropriate general 
solutions here.
-- 

    Sincerely Your, Dan.