Hi, OpenSSH 2.9p2 behaves differently with 'PermitRootLogin without-password' than does SSH 2.2.27 with 'PermitRootLogin nopwd': nopython.imorgan 153> ssh root at sun523 root at sun523's password: ROOT LOGIN REFUSED FROM nopython.nas.nasa.gov nopython.imorgan 154> ssh root at sun566 root at sun566's password: Permission denied. In the case of OpenSSH, you simply get 'Permission denied' which may lead some to incorrectly assume that the issue is a mistyped password. -- Iain Morgan NAS Desktop Support Group
>OpenSSH 2.9p2 behaves differently with 'PermitRootLogin without-password' >than does SSH 2.2.27 with 'PermitRootLogin nopwd': > >nopython.imorgan 153> ssh root at sun523 >root at sun523's password: >ROOT LOGIN REFUSED FROM nopython.nas.nasa.gov > >nopython.imorgan 154> ssh root at sun566 >root at sun566's password: >Permission denied. > >In the case of OpenSSH, you simply get 'Permission denied' which may lead >some to incorrectly assume that the issue is a mistyped password.OpenSSH is more secure in its behaviour since it didn't tell you that the password was correct so it can't be used as a method to test possible root passwords and then go and use the root password to get into the host by another means (eg on the console). I guess it could be a config option to say how much information is given out when a login is refused. If you care write the patch to make it configurable and ask for it to be included. -- Darren J Moffat
On Wed, 31 Oct 2001, Iain Morgan wrote:> nopython.imorgan 154> ssh root at sun566 > root at sun566's password: > Permission denied. > > In the case of OpenSSH, you simply get 'Permission denied' which may lead > some to incorrectly assume that the issue is a mistyped password.We do not want to expose the reason why access is denied - we go to some trouble to ensure this. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)
Apparently Analagous Threads
- SSH and root access from limited hosts
- X.509 certificate based IMAP login
- [Bug 2305] New: sshd does not accept @cert-authority when doing host based authentication.
- FYI: SSH1 now disabled at compile-time by default
- [Bug 2211] New: Too many hostbased authentication attempts