3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds

Edgar, Bob Bob.Edgar at commerzbankib.com
Wed Nov 19 04:11:02 EST 2003

In principal, yes, but there are two points to consider.

One is that the behavior of SSH changed from 3.5 (3.6?) to 3.7. It is not
possible to implement to old behavior without adding a new PAM module and
changing the PAM configuration at least on Solaris systems. It should also
be noted that the same design change breaks connectivity with older versions
of ssh.com client which don't support challenge-response. Remember too that
I don't have an alternative to using PAM, the protected password fields in
NIS+ (a good thing IMHO) require it.

The second is that (at least to my knowledge) other programs like telnet,
ftp and login do not rely upon the PAM stack for this purpose but have their
own option to permit or forbid root access. This is still the behavior when
SSH does it's password auth.

Here again is the situation:
UsePAM yes is incompatible with PasswordAuthentication.
Currently "UsePAM yes" enabled has "PermitRootLogin yes" exhibiting the
same behavior as "PermitRootLogin without-password" (what the PAM stack
allows is ok).

The change I submitted modifies the behavior for "PAM yes" and
"PermitRootLogin without-password" to allow the administrator to block root
access via PAM. The "PermitRootLogin yes" still follows the decision made
by the PAM stack and thus allows for fancy authentication thingies.

This change allows older configurations to continue to work without
modification to the PAM config or additional modules without removing any
functionality or control in the current implementation.

If someone can provide a better fix for the problem described I'd be more
than happy to adopt it. In the mean time, thanks for your time and comments.


-----Original Message-----
From: Markus Friedl [mailto:markus at openbsd.org]
Sent: Dienstag, 18. November 2003 17:16
To: Darren Tucker
Cc: Edgar, Bob; openssh-unix-dev at mindrot.org
Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus
passwor ds

On Wed, Nov 19, 2003 at 01:09:18AM +1100, Darren Tucker wrote:
> "Edgar, Bob" wrote:
> > 
> > It works for the "yes" case but not for the "without-password" case.
> > The function that checks (auth_root_allowed(auth_method) is special
> > cased for "password". The Pam case sends "keyboard-interactive/pam"
> > which like all other authentication methods except password succeeds.
> > 
> > Here is a patch to make it work for me. Please feel free to criticize
> > as appropriate.
> [snip patch]
> The catch is PAM might not use any kind of password, it might use a
> super-secure two-factor authentication or something.  In that case,
> "without-password" would be misleading.
> Maybe we need a more general "AllowedRootAuthMethods" option?  Maybe not. 
> Perhaps "PermitRootLogin pubkey-only"?

IMHO it's PAM's job to control access if PAM is used.

More information about the openssh-unix-dev mailing list