"PermitRootLogin no" fails

Danny Mitchell fishcustard at gmail.com
Thu Feb 7 22:55:14 EST 2008


I'm running version 4.7p1 of OpenSSH on a Linux system (it was
originally a RedHat system, but I've changed almost everything.) When
I originally built OpenSSH I used the config option --without-pam, and
installed the software in /usr/local. I explicitly forbade root login
with sshd (by setting the PermitRootLogin to "no" in the sshd_config
file), but found that I could login as root. Examination of the code
revealed that PermitRootLogin is only dealt with in auth-pam.c, which
is surrounded by #ifdef USE_PAM/#endif. I rebuilt OpenSSH with the
--with-pam option enabled, installed, set PermitRootLogin to "no", and
restarted. It still permits root login.

This seems to raise two security problems, both serious:
1. PermitRootLogin is never used if sshd is built without PAM support,
but the documentation is silent on this.
2. Even if sshd is built with PAM support, PermitRootLogin has no effect.


-- 
-----------------------------------------------------------------------------------------
Wocky                            | A poem for the lonely: hello.
fishcustard at gmail.com           |             -- Spike Milligan
-----------------------------------------------------------------------------------------


More information about the openssh-unix-dev mailing list