3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords

Edgar, Bob Bob.Edgar at commerzbankib.com
Tue Nov 18 03:45:01 EST 2003 

Greetings,

I know that part of the following has been discussed here before but
please bear with me.

We are running on Solaris versions 2.6 - 9 with a NISplus name service.

The permissions on the NISplus password map have been modified to
limit read access to the encrypted password field of the passwd table
to only the entry owner and the table administrators. See:
   http://docs.sun.com/db/doc/801-6633/6i10dhc35?a=view

This modification means that only a validated user can see the encrypted
password field and further the user can see _only_ his or her own
password, all other entries are returned as "*NP*".
This behavior poses a chicken and egg problem: how can a user be
authenticated when the password field is not visible? The PAM stack
handles this by treating the supplied password as the key used to
decrypt the user's secret key used when issuing requests to any secure
RPC services.

What all of the above means in terms of OpenSSH is that
PasswordAuthentication will not function and that UsePAM is required.
While this functions properly for normal users it has one very negative
security implication with respect to root logins:  PermitRootLogin is
not respected when UsePAM is in effect. I submit that ignoring the 
PermitRootLogin directive is counter intuitive and that doing so opens
a serious security hole for the unwary. As this behavior is documented
it can be considered a feature but I would like to propose that this
decision be revisited in light of the above.

Pam support is now in keyboard-interactive and I have looked at the code
enough to realize that the change is not "obvious by inspection". I would
greatly appreciate any help anyone (Darren Tucker?) might provide in
generating a patch that implements PermitRootLogin with UsePAM.

Thanks for your time and apologies if the above is unclear or incorrect.

bob

The legal  word: 
    "This message only reflects the personal opinion of the author and 
      must not be regarded as or considered to be any form of reference 
      to the opinion of the Commerzbank AG or any of its affiliated 
      companies." 
On the other hand, it probably doesn't accurately reflect the author's 
opinion either, but that's another story. So it goes. 
Copyright (C) 2003 MrBob, no rights reserved.

More information about the openssh-unix-dev mailing list