bugzilla-daemon at mindrot.org
2005-Jan-11 07:25 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |971 ------- Additional Comments From dtucker at zip.com.au 2005-01-11 18:25 ------- Patch attachment #766 in bug #971 should fix this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Jan-20 03:29 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 Bug 701 depends on bug 971, which changed state. Bug 971 Summary: keyboard-interactive/pam leaks info about user existence http://bugzilla.mindrot.org/show_bug.cgi?id=971 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Jan-27 03:48 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 ------- Additional Comments From dtucker at zip.com.au 2005-01-27 14:48 ------- (In reply to comment #0)> Also, the following code in auth-password.c > > #ifndef HAVE_CYGWIN > if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) > ok = 0; > #endif > > seems to prevent the auth.c:auth_root_allowed() routine from ever being > called, meaning that the following log line in auth.c doesn't get called: > > logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); > > When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed() > gets run properly.The problem with changing this is that the "ROOT LOGIN REFUSED" message is only supposed to appear when root authenticated successfully but was denied by sshd_config. To deal with potential information leaks (ie bug #971), in the case of an invalid login, sshd will trash the user's response before handing it back to PAM, so that PAM behaves the same way for these cases: - password wrong - password right but denied by sshd_config (PermitRootLogin, AllowUsers etc). Because of this, sshd will never know if the credentials the user supplied are valid, which means that it can either log *every* attempt or *none*, but it can no longer log only the ones that were denied by sshd_config. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Feb-01 08:18 UTC
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2005-02-01 19:18 ------- The patch in bug #971 prevents root from logging in via keyboard-interactive when "PermitRootLogin without-password" and has been in the devel tree for a while. It will be in the next release. I have removed the comment in sshd_config.5 since it no longer applies. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
- PermitRootLogin=yes no longer lets root login
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
- [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'