Ponraj Mathiazagan
2005-Jan-20 09:23 UTC
PermitRootLogin without-password functionality differs for UsePAM yes/no option
Hi, I am using OpenSSH 3.9p1. For " UsePAM yes/no " option with " PermitRootLogin without-password", the server functionality differs. For " UsePAM yes ", the server allows authentication thru password, meanwhile " UsePAM no " does not. I have fixed that problem and the patch is given below. --------------------------------------------------------------------- File: auth.c In auth_root_allowed() function +if ((strcmp(method, "password") != 0 ) && (strcmp(method, "keyboard-interactive/pam") !=0)) + return 1; -if (strcmp(method, "password") != 0 ) --------------------------------------------------------------------- Please let me know whether this patch will produce any undesired effect. Thanks Ponraj M
Darren Tucker
2005-Jan-20 09:43 UTC
PermitRootLogin without-password functionality differs for UsePAM yes/no option
Ponraj Mathiazagan wrote:> I am using OpenSSH 3.9p1. For " UsePAM yes/no " option with " > PermitRootLogin without-password", the server functionality differs. > For " UsePAM yes ", the server allows authentication thru password, > meanwhile " UsePAM no " does not.Strictly speaking it's keyboard-interactive authentication, not password. It's backended onto PAM, which in your case happens to authenticate via a simple password (it could have been S/Key or OPIE or mental telepathy but sshd has no way to know what PAM has in mind). You can prevent this by setting "PasswordAuthentication yes" and "ChallengeResponseAuthentication no" in sshd_config.> I have fixed that problem and the > patch is given below.[...]> Please let me know whether this patch will produce any undesired effect.If PAM inserts a delay on failed auth attempts, your patch will return faster when the auth attempt gets the root password right. Anyway, this particular problem was fixed earlier today in a way that (hopefully :-) won't do that. See http://bugzilla.mindrot.org/show_bug.cgi?id=971 and/or try tomorrow's snapshot. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Possibly Parallel Threads
- 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
- Questions about sshd_config man page and comments in the file
- 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords
- [Bug 325] PermitRootLogin forced-commands-only & privsep - not working together
- [Bug 2061] New: Request for PermitRootLogin to be enforced prior to credential check