[PATCH] PermitRootLogin woes

Darren Tucker dtucker at zip.com.au
Thu Sep 14 22:27:41 EST 2006


On Thu, Sep 14, 2006 at 02:20:03PM +0300, Antti Tapaninen wrote:
> 
> Hi all,
> 
> among other things, we provide shell access to various unix based 
> platforms for our students and university staff. Recently, there has been 
> increasing number of root login attacks on one particular Tru64 machine 
> running OpenSSH.
> 
> The host is configured with "PermitRootLogin no" but every once in a while 
> SIA auth with TCB enhanced security locks the root account.
> 
> I suppose the problem could be solved at two separate levels, for SIA only 
> in auth-sia.c, or for any password using auth method in auth-passwd.c.
> 
> I'd prefer a fix just for auth-passwd.c, are there any reasons to try out 
> auth_krb5_password, sshpam_auth_passwd or sys_auth_passwd if variable "ok" 
> is set to zero already?

On platforms where a failed login attempt is noticable by the time it takes,
shortcutting the "ok" check leaks information about what is and is not
permitted.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list