"PermitRootLogin no" fails

Danny Mitchell fishcustard at gmail.com
Fri Feb 8 20:56:36 EST 2008


On 08/02/2008, Darren Tucker <dtucker at zip.com.au> wrote:
> Danny Mitchell wrote:
>...
> but found that I could login as root. Examination of the code
> > revealed that PermitRootLogin is only dealt with in auth-pam.c, which
> > is surrounded by #ifdef USE_PAM/#endif.
>
> It is also checked in auth.c in auth_root_allowed(), which is used as a
> final check in auth1.c and auth2.c.


You're right, of course. I'd missed that one.


>
> > I rebuilt OpenSSH with the
> > --with-pam option enabled, installed, set PermitRootLogin to "no", and
> > restarted. It still permits root login.
>
> What configure options did you build with?  Did you remember to use
> --sysconfdir option to tell it to use the same files as the vendor sshd
> (probably /etc/ssh)?  By default, OpenSSH Portable uses config files in
> /usr/local/etc.
>

The configure line was
./configure --prefix=/usr/local --with-pam
--with-ssl-dir=/usr/local/openssl-0.9.8g --with-md5-passwords
(that's a cut-and-paste of the line; it's in the config log files.)

I explicitly edited the sshd_config files in /usr/local/etc/ssh. I
have confirmed that the newly-built version is the one that's running
(it supports ssh2, and my clients use aes; the one the vendor shipped
only supports ssh1, and doesn't support aes), and "strings
/usr/local/sbin/sshd | grep sshd_config" returns
/usr/local/etc/ssh/sshd_config.

Thanks for taking the time to reply.
Dannt Mitchell


-- 
-----------------------------------------------------------------------------------------
Wocky                            | A poem for the lonely: hello.
fishcustard at gmail.com           |             -- Spike Milligan
-----------------------------------------------------------------------------------------


More information about the openssh-unix-dev mailing list