PermitRootLogin without-password functionality differs for UsePAM yes/no option

Darren Tucker dtucker at zip.com.au
Thu Jan 20 20:43:53 EST 2005


Ponraj Mathiazagan wrote:
> I am using OpenSSH 3.9p1. For " UsePAM yes/no " option with "
> PermitRootLogin without-password", the server functionality differs.
> For " UsePAM yes ", the server allows authentication thru password,
> meanwhile " UsePAM no " does not.

Strictly speaking it's keyboard-interactive authentication, not 
password.  It's backended onto PAM, which in your case happens to 
authenticate via a simple password (it could have been S/Key or OPIE or 
mental telepathy but sshd has no way to know what PAM has in mind).

You can prevent this by setting "PasswordAuthentication yes" and 
"ChallengeResponseAuthentication no" in sshd_config.

> I have fixed that problem and the
> patch is given below.
[...]
> Please let me know whether this patch will produce any undesired effect. 

If PAM inserts a delay on failed auth attempts, your patch will return 
faster when the auth attempt gets the root password right.

Anyway, this particular problem was fixed earlier today in a way that 
(hopefully :-) won't do that.  See 
http://bugzilla.mindrot.org/show_bug.cgi?id=971 and/or try tomorrow's 
snapshot.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list