[PATCH] PermitRootLogin woes
Antti Tapaninen
aet at cc.hut.fi
Thu Sep 14 21:20:03 EST 2006
Hi all,
among other things, we provide shell access to various unix based
platforms for our students and university staff. Recently, there has been
increasing number of root login attacks on one particular Tru64 machine
running OpenSSH.
The host is configured with "PermitRootLogin no" but every once in a while
SIA auth with TCB enhanced security locks the root account.
I suppose the problem could be solved at two separate levels, for SIA only
in auth-sia.c, or for any password using auth method in auth-passwd.c.
I'd prefer a fix just for auth-passwd.c, are there any reasons to try out
auth_krb5_password, sshpam_auth_passwd or sys_auth_passwd if variable "ok"
is set to zero already?
Cheers,
-Antti
Index: auth-passwd.c
===================================================================
RCS file: /openssh/openssh_cvs/auth-passwd.c,v
retrieving revision 1.86
diff -u -r1.86 auth-passwd.c
--- auth-passwd.c 5 Aug 2006 02:39:39 -0000 1.86
+++ auth-passwd.c 14 Sep 2006 10:54:12 -0000
@@ -88,7 +88,7 @@
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
- ok = 0;
+ return 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
Index: auth-sia.c
===================================================================
RCS file: /openssh/openssh_cvs/auth-sia.c,v
retrieving revision 1.18
diff -u -r1.18 auth-sia.c
--- auth-sia.c 7 Sep 2006 23:54:41 -0000 1.18
+++ auth-sia.c 14 Sep 2006 10:54:12 -0000
@@ -55,12 +55,14 @@
int ret;
SIAENTITY *ent = NULL;
const char *host;
+ struct passwd * pw = authctxt->pw;
- host = get_canonical_hostname(options.use_dns);
-
+ if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+ return (0);
if (!authctxt->user || pass == NULL || pass[0] == '\0')
return (0);
+ host = get_canonical_hostname(options.use_dns);
if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
NULL, 0, NULL) != SIASUCCESS)
return (0);
More information about the openssh-unix-dev
mailing list