Chris Adams wrote:> I have "PermitRootLogin no" in my sshd_config, but under Tru64
and SIA,
> the root login attempts still get passed to the SIA system (so I get
> lots of warnings about failed root logins). On systems with a "max
> failed attempts" setting, the root account can be locked out this way.
> I started looking at the code, and I'm not sure I understand what I
see.
>
> In auth-passwd.c, function auth_password checks permit_root_login, but
> it doesn't stop if it fails. It goes on and calls the authentication
> function (sys_auth_passwd from auth-sia.c for SIA) but still returns
> failure. Why?
It's trying to behave the same for all these different cases, while still
denying the logins that should be denied:
- valid user but wrong password
- denied by sshd config (permitrootlogin=no, denyusers) + wrong password
- denied by sshd config (permitrootlogin=no, denyusers) + right password
- non-existant user
Returning early allows an attacker to determine some settings, and in some
cases guess passwords.
The lower-level drivers do whatever they need to to present this
consistent behaviour (in the case of PAM, that means feeding bogus
passwords in the denied-by-config cases, otherwise).
> Should I just modify auth-sia.c sys_auth_passwd() to check the
> permit_root_login option and fail without calling the SIA functions?
If that's the right thing to do in this case. You're ignoring actual
login attempts (even though they have no chance of succeeding) is that the
right thing?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.