PermitRootLogin and Tru64 SIA
Chris Adams
cmadams at hiwaay.net
Thu Apr 7 23:00:44 EST 2005
I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA,
the root login attempts still get passed to the SIA system (so I get
lots of warnings about failed root logins). On systems with a "max
failed attempts" setting, the root account can be locked out this way.
I started looking at the code, and I'm not sure I understand what I see.
In auth-passwd.c, function auth_password checks permit_root_login, but
it doesn't stop if it fails. It goes on and calls the authentication
function (sys_auth_passwd from auth-sia.c for SIA) but still returns
failure. Why?
Should I just modify auth-sia.c sys_auth_passwd() to check the
permit_root_login option and fail without calling the SIA functions?
Here's a patch that does that:
diff -urN openssh-dist/auth-sia.c openssh/auth-sia.c
--- openssh-dist/auth-sia.c Thu Mar 4 05:59:37 2004
+++ openssh/auth-sia.c Thu Apr 7 07:52:13 2005
@@ -53,6 +53,9 @@
SIAENTITY *ent = NULL;
const char *host;
+ if (! auth_root_allowed ("password"))
+ return (0);
+
host = get_canonical_hostname(options.use_dns);
if (!authctxt->user || pass == NULL || pass[0] == '\0')
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the openssh-unix-dev
mailing list