PermitRootLogin and Tru64 SIA

Darren Tucker dtucker at
Thu Apr 7 23:43:51 EST 2005

Chris Adams wrote:
> I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA,
> the root login attempts still get passed to the SIA system (so I get
> lots of warnings about failed root logins).  On systems with a "max
> failed attempts" setting, the root account can be locked out this way.
> I started looking at the code, and I'm not sure I understand what I see.
> In auth-passwd.c, function auth_password checks permit_root_login, but
> it doesn't stop if it fails.  It goes on and calls the authentication
> function (sys_auth_passwd from auth-sia.c for SIA) but still returns
> failure.  Why?

It's trying to behave the same for all these different cases, while still 
denying the logins that should be denied:
  - valid user but wrong password
  - denied by sshd config (permitrootlogin=no, denyusers) + wrong password
  - denied by sshd config (permitrootlogin=no, denyusers) + right password
  - non-existant user

Returning early allows an attacker to determine some settings, and in some 
cases guess passwords.

The lower-level drivers do whatever they need to to present this 
consistent behaviour (in the case of PAM, that means feeding bogus 
passwords in the denied-by-config cases, otherwise).

> Should I just modify auth-sia.c sys_auth_passwd() to check the
> permit_root_login option and fail without calling the SIA functions?

If that's the right thing to do in this case.  You're ignoring actual 
login attempts (even though they have no chance of succeeding) is that the 
right thing?

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list