[PATCH] PermitRootLogin woes

Antti Tapaninen aet at cc.hut.fi
Thu Sep 14 21:20:03 EST 2006


Hi all,

among other things, we provide shell access to various unix based 
platforms for our students and university staff. Recently, there has been 
increasing number of root login attacks on one particular Tru64 machine 
running OpenSSH.

The host is configured with "PermitRootLogin no" but every once in a while 
SIA auth with TCB enhanced security locks the root account.

I suppose the problem could be solved at two separate levels, for SIA only 
in auth-sia.c, or for any password using auth method in auth-passwd.c.

I'd prefer a fix just for auth-passwd.c, are there any reasons to try out 
auth_krb5_password, sshpam_auth_passwd or sys_auth_passwd if variable "ok" 
is set to zero already?

Cheers,

-Antti

Index: auth-passwd.c
===================================================================
RCS file: /openssh/openssh_cvs/auth-passwd.c,v
retrieving revision 1.86
diff -u -r1.86 auth-passwd.c
--- auth-passwd.c	5 Aug 2006 02:39:39 -0000	1.86
+++ auth-passwd.c	14 Sep 2006 10:54:12 -0000
@@ -88,7 +88,7 @@

  #ifndef HAVE_CYGWIN
  	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
-		ok = 0;
+		return 0;
  #endif
  	if (*password == '\0' && options.permit_empty_passwd == 0)
  		return 0;
Index: auth-sia.c
===================================================================
RCS file: /openssh/openssh_cvs/auth-sia.c,v
retrieving revision 1.18
diff -u -r1.18 auth-sia.c
--- auth-sia.c	7 Sep 2006 23:54:41 -0000	1.18
+++ auth-sia.c	14 Sep 2006 10:54:12 -0000
@@ -55,12 +55,14 @@
  	int ret;
  	SIAENTITY *ent = NULL;
  	const char *host;
+	struct passwd * pw = authctxt->pw;

-	host = get_canonical_hostname(options.use_dns);
-
+	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+		return (0);
  	if (!authctxt->user || pass == NULL || pass[0] == '\0')
  		return (0);

+	host = get_canonical_hostname(options.use_dns);
  	if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
  	    NULL, 0, NULL) != SIASUCCESS)
  		return (0);

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list