"PermitRootLogin no" fails

Darren Tucker dtucker at zip.com.au
Fri Feb 8 20:00:56 EST 2008


Danny Mitchell wrote:
> I'm running version 4.7p1 of OpenSSH on a Linux system (it was
> originally a RedHat system, but I've changed almost everything.) When
> I originally built OpenSSH I used the config option --without-pam, and
> installed the software in /usr/local. I explicitly forbade root login
> with sshd (by setting the PermitRootLogin to "no" in the sshd_config
> file), but found that I could login as root. Examination of the code
> revealed that PermitRootLogin is only dealt with in auth-pam.c, which
> is surrounded by #ifdef USE_PAM/#endif.

It is also checked in auth.c in auth_root_allowed(), which is used as a 
final check in auth1.c and auth2.c.

> I rebuilt OpenSSH with the
> --with-pam option enabled, installed, set PermitRootLogin to "no", and
> restarted. It still permits root login.

What configure options did you build with?  Did you remember to use 
--sysconfdir option to tell it to use the same files as the vendor sshd 
(probably /etc/ssh)?  By default, OpenSSH Portable uses config files in 
/usr/local/etc.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list