openssh bugs - Sep 2003 - [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'

http://bugzilla.mindrot.org/show_bug.cgi?id=701

           Summary: With 'PermitRootPassword without-password' set, root
                    w/pass can still log in with a  using
'keyboard-int/pam'
           Product: Portable OpenSSH
           Version: 3.7.1p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: jfh at cise.ufl.edu


When the directive PermitRootLogin is specified as 'without-password',
root
can still log in with a password using the 'keyboard-interactive/pam'
method
and possibly others.

The fix is to permit only certain methods to allow root logins, and deny
the rest. The patch I will be providing currently only allows root to login with
the 'publickey' method. Others can be added as necessary, but as methods
are
added in the future they will default to not allowing root to login when
PermitRootLogin is set to 'without-password' unless specified in this
routine.
(This is different from the patch I sent to the list which allowed root to 
login with all methods except those explicitly denied). 

This may warrant a security announcement as there may be sites with
PermitRootLogin set to 'without-password' who are using PAM for logins
and who are unaware that root can still log in with a password.

Also, the following code in auth-password.c

 #ifndef HAVE_CYGWIN
   if (pw && pw->pw_uid == 0 && options.permit_root_login !=
PERMIT_YES)
           ok = 0;
 #endif

seems to prevent the auth.c:auth_root_allowed() routine from ever being called,
meaning that the following log line in auth.c doesn't get called:

    logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());

When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
gets run properly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From jfh at cise.ufl.edu  2003-09-22 23:10 -------
Created an attachment (id=446)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=446&action=view)
Allows only 'publickey' method when 'PermitRootLogin' is set to
'without-password'




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From markus at openbsd.org  2003-09-22 23:17 -------
the problem is that login via PAM might be anything, so the pam
modules have to restrict things. 

what should be done if
pam auth might be s/key? then "without-passwd" should
allow login? or not?

i think that if pam is used then pam has to be configured properly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From markus at openbsd.org  2003-09-22 23:42 -------
patch looks good. will work on something similar.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From jfh at cise.ufl.edu  2003-09-22 23:49 -------
Perhaps then, the wording of the sshd_config(8) man page should be 
modified somewhat:

Change

        If  this option is set to ``without-password'' password
        authentication is disabled for root.

to

	If  this option is set to ``without-password'', logins via the OpenSSH
	password authentication method are disabled for root. Other authentication
	methods (e.g., PAM) may still allow root to login via a password.

Would anyone be interested in a 'publickey' setting for the
'PermitRootLogin'
directive? I should be able to code one up in the next day or so. This would
remove any ambiguity and lock down logins to publickey only.

(Sorry if this is a dup -- I responded via email to Markus' first comment
and it didn't show up -- I'm obviously Bugzilla-impaired :->)

Jim




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.