[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 27 14:48:39 EST 2005


------- Additional Comments From dtucker at zip.com.au  2005-01-27 14:48 -------
(In reply to comment #0)
> Also, the following code in auth-password.c
>  #ifndef HAVE_CYGWIN
>    if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
>            ok = 0;
>  #endif
> seems to prevent the auth.c:auth_root_allowed() routine from ever being
> called, meaning that the following log line in auth.c doesn't get called:
>     logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
> When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
> gets run properly.

The problem with changing this is that the "ROOT LOGIN REFUSED" message is only
supposed to appear when root authenticated successfully but was denied by

To deal with potential information leaks (ie bug #971), in the case of an
invalid login, sshd will trash the user's response before handing it back to
PAM, so that PAM behaves the same way for these cases:
 - password wrong
 - password right but denied by sshd_config (PermitRootLogin, AllowUsers etc).

Because of this, sshd will never know if the credentials the user supplied are
valid, which means that it can either log *every* attempt or *none*, but it can
no longer log only the ones that were denied by sshd_config.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list