PermitRootLogin and Tru64 SIA

Chris Adams cmadams at
Thu Apr 7 23:00:44 EST 2005

I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA,
the root login attempts still get passed to the SIA system (so I get
lots of warnings about failed root logins).  On systems with a "max
failed attempts" setting, the root account can be locked out this way.
I started looking at the code, and I'm not sure I understand what I see.

In auth-passwd.c, function auth_password checks permit_root_login, but
it doesn't stop if it fails.  It goes on and calls the authentication
function (sys_auth_passwd from auth-sia.c for SIA) but still returns
failure.  Why?

Should I just modify auth-sia.c sys_auth_passwd() to check the
permit_root_login option and fail without calling the SIA functions?
Here's a patch that does that:

diff -urN openssh-dist/auth-sia.c openssh/auth-sia.c
--- openssh-dist/auth-sia.c	Thu Mar  4 05:59:37 2004
+++ openssh/auth-sia.c	Thu Apr  7 07:52:13 2005
@@ -53,6 +53,9 @@
 	const char *host;
+	if (! auth_root_allowed ("password"))
+		return (0);
 	host = get_canonical_hostname(options.use_dns);
 	if (!authctxt->user || pass == NULL || pass[0] == '\0')

Chris Adams <cmadams at>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the openssh-unix-dev mailing list