bugzilla-daemon at mindrot.org
2003-Sep-22 13:06 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 Summary: With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' Product: Portable OpenSSH Version: 3.7.1p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: jfh at cise.ufl.edu When the directive PermitRootLogin is specified as 'without-password', root can still log in with a password using the 'keyboard-interactive/pam' method and possibly others. The fix is to permit only certain methods to allow root logins, and deny the rest. The patch I will be providing currently only allows root to login with the 'publickey' method. Others can be added as necessary, but as methods are added in the future they will default to not allowing root to login when PermitRootLogin is set to 'without-password' unless specified in this routine. (This is different from the patch I sent to the list which allowed root to login with all methods except those explicitly denied). This may warrant a security announcement as there may be sites with PermitRootLogin set to 'without-password' who are using PAM for logins and who are unaware that root can still log in with a password. Also, the following code in auth-password.c #ifndef HAVE_CYGWIN if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif seems to prevent the auth.c:auth_root_allowed() routine from ever being called, meaning that the following log line in auth.c doesn't get called: logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed() gets run properly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-22 13:10 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 ------- Additional Comments From jfh at cise.ufl.edu 2003-09-22 23:10 ------- Created an attachment (id=446) --> (http://bugzilla.mindrot.org/attachment.cgi?id=446&action=view) Allows only 'publickey' method when 'PermitRootLogin' is set to 'without-password' ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-22 13:17 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 ------- Additional Comments From markus at openbsd.org 2003-09-22 23:17 ------- the problem is that login via PAM might be anything, so the pam modules have to restrict things. what should be done if pam auth might be s/key? then "without-passwd" should allow login? or not? i think that if pam is used then pam has to be configured properly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-22 13:42 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 ------- Additional Comments From markus at openbsd.org 2003-09-22 23:42 ------- patch looks good. will work on something similar. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-22 13:49 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 ------- Additional Comments From jfh at cise.ufl.edu 2003-09-22 23:49 ------- Perhaps then, the wording of the sshd_config(8) man page should be modified somewhat: Change If this option is set to ``without-password'' password authentication is disabled for root. to If this option is set to ``without-password'', logins via the OpenSSH password authentication method are disabled for root. Other authentication methods (e.g., PAM) may still allow root to login via a password. Would anyone be interested in a 'publickey' setting for the 'PermitRootLogin' directive? I should be able to code one up in the next day or so. This would remove any ambiguity and lock down logins to publickey only. (Sorry if this is a dup -- I responded via email to Markus' first comment and it didn't show up -- I'm obviously Bugzilla-impaired :->) Jim ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Reasonably Related Threads
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
- Kerberos password auth/expiry kbdint patch