[PATCH] PermitRootLogin woes

Antti Tapaninen aet at cc.hut.fi
Fri Sep 15 02:40:54 EST 2006


On Thu, 14 Sep 2006, Darren Tucker wrote:

> On platforms where a failed login attempt is noticable by the time it takes,
> shortcutting the "ok" check leaks information about what is and is not
> permitted.

I'm not following, sorry. What do you mean by noticable and leaking 
information about what is and is not permitted?

As for noticing or monitoring failed authentications, auth_log() does a 
pretty good job informing about user authentications failed and where they 
came from.

I fail to see how it's reasonable to allow anyone attack and even lock 
root accounts, even though PermitRootLogin sounds like a perfect solution 
against it. Using auth layers (pam, sia, kdc, something other not so 
lightweight) for nothing.

Thanks,

-Antti




More information about the openssh-unix-dev mailing list