PermitRootLogin issues

Darren Tucker dtucker at zip.com.au
Tue Mar 30 12:14:55 EST 2004 

Stephen Roylance wrote:
> I'm currently experiencing the issue laid out in this thread from last 
> year:
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106908815129641&w=2
> 
> The discussion that ensued resulted in a number of ideas on how best to 
> 'fix' this issue.  The two that seemed most reasonable were:
> 1. implement a pubkey-only option to PermitRootLogin that would only 
> allow root to login using pubkey authentication.
> 2. implement a more flexible arrangement where a list of allowed 
> authentication methods could passed to PermitRootLogin.

There is an open bug (#701) for this [1].

> I looked through the code and it seems that both are straightforward to 
> code, but obviously 1 is much less work.  I coded up an implemetation of 
> pubkey-only that works for me, and it's attached.  I'm willing to work 
> on option 2, but since that's quite a bit more work, I'd like some 
> assurance that that is the _right_ way before I start on it.

I have just added this to the bug:
[quote]
The current plan is to switch away from the current "without-password" 
to a positive list of allowed methods, e.g.

	PermitRootLogin pubkey,hostbased,keyboard-interactive

and keep "without-password" as an alias for something like
	"pubkey,hostbased"

One thing that isn't clear is whether or not keyboard-interactive should 
specify the specific "devices", eg keyboard-interactive/pam.
[/quote]

Good patches implementing the above are likely to be accepted.

> I think some solution needs to be merged ASAP.  I've seen the 
> recommendation to use without-password if root logins for scripting must 
> be allowed in various security docs.  With more sites using PAM and 
> non-typical authentication methods (LDAP, winbind), it can be a nasty 
> shock (or worse, completely unnoticed) to an administrator when that 
> option doesn't work as they expect.

[1] http://bugzilla.mindrot.org/show_bug.cgi?id=701

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list