[PATCH] PermitRootLogin woes
Antti Tapaninen
aet at cc.hut.fi
Fri Sep 15 02:40:54 EST 2006
On Thu, 14 Sep 2006, Darren Tucker wrote:
> On platforms where a failed login attempt is noticable by the time it takes,
> shortcutting the "ok" check leaks information about what is and is not
> permitted.
I'm not following, sorry. What do you mean by noticable and leaking
information about what is and is not permitted?
As for noticing or monitoring failed authentications, auth_log() does a
pretty good job informing about user authentications failed and where they
came from.
I fail to see how it's reasonable to allow anyone attack and even lock
root accounts, even though PermitRootLogin sounds like a perfect solution
against it. Using auth layers (pam, sia, kdc, something other not so
lightweight) for nothing.
Thanks,
-Antti
More information about the openssh-unix-dev
mailing list