[Bug 2061] New: Request for PermitRootLogin to be enforced prior to credential check

Mon Jan 14 19:51:13 EST 2013

https://bugzilla.mindrot.org/show_bug.cgi?id=2061

            Bug ID: 2061
           Summary: Request for PermitRootLogin to be enforced prior to
                    credential check
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.1p1
          Hardware: Other
                OS: OpenBSD
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: vram at tradermail.info

Unless I am misreading the code, at present, when an attempt is made to
log in as "root", first the login attempt is authenticated.  Only
afterwards is auth_root_allowed(...) called.  Thus if someone wants to
try to login as root via ssh even when PermitRootLogin=no it is only
*after* they succesfully use the correct password/key that the option
is enforced, and the "ROOT LOGIN REFUSED" log message is emitted. 
Otherwise, it is logged like any other failed attempt.

However, if we have PermitRootLogin=no set, then knowing immediately
via the big glaring "ROOT LOGIN REFUSED" log message sooner rather than
later allows the administrator to more quickly and easily know that an
inappropriate access attempt is being made.  After all, this log
message exists for a reason.

I'd like to politely request that PermitRootLogin be honored by instead
enforcing the negative option values even prior to checking the
credentials.  Once authctxt->pw is valid and the corresponding UID is
known to be 0, then auth_root_allowed(...) should be called upstream of
the userauth(...) call for that authctxt.

Thanks for your consideration and for OpenSSH.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.