[PATCH] PermitRootLogin woes
Darren Tucker
dtucker at zip.com.au
Thu Sep 14 22:27:41 EST 2006
On Thu, Sep 14, 2006 at 02:20:03PM +0300, Antti Tapaninen wrote:
>
> Hi all,
>
> among other things, we provide shell access to various unix based
> platforms for our students and university staff. Recently, there has been
> increasing number of root login attacks on one particular Tru64 machine
> running OpenSSH.
>
> The host is configured with "PermitRootLogin no" but every once in a while
> SIA auth with TCB enhanced security locks the root account.
>
> I suppose the problem could be solved at two separate levels, for SIA only
> in auth-sia.c, or for any password using auth method in auth-passwd.c.
>
> I'd prefer a fix just for auth-passwd.c, are there any reasons to try out
> auth_krb5_password, sshpam_auth_passwd or sys_auth_passwd if variable "ok"
> is set to zero already?
On platforms where a failed login attempt is noticable by the time it takes,
shortcutting the "ok" check leaks information about what is and is not
permitted.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list