PermitRootLogin without-password functionality differs for UsePAM yes/no option
Darren Tucker
dtucker at zip.com.au
Thu Jan 20 20:43:53 EST 2005
Ponraj Mathiazagan wrote:
> I am using OpenSSH 3.9p1. For " UsePAM yes/no " option with "
> PermitRootLogin without-password", the server functionality differs.
> For " UsePAM yes ", the server allows authentication thru password,
> meanwhile " UsePAM no " does not.
Strictly speaking it's keyboard-interactive authentication, not
password. It's backended onto PAM, which in your case happens to
authenticate via a simple password (it could have been S/Key or OPIE or
mental telepathy but sshd has no way to know what PAM has in mind).
You can prevent this by setting "PasswordAuthentication yes" and
"ChallengeResponseAuthentication no" in sshd_config.
> I have fixed that problem and the
> patch is given below.
[...]
> Please let me know whether this patch will produce any undesired effect.
If PAM inserts a delay on failed auth attempts, your patch will return
faster when the auth attempt gets the root password right.
Anyway, this particular problem was fixed earlier today in a way that
(hopefully :-) won't do that. See
http://bugzilla.mindrot.org/show_bug.cgi?id=971 and/or try tomorrow's
snapshot.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list