openssh bugs - Jan 2005 - [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'

http://bugzilla.mindrot.org/show_bug.cgi?id=701

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  BugsThisDependsOn|                            |971



------- Additional Comments From dtucker at zip.com.au  2005-01-11 18:25 -------
Patch attachment #766 in bug #971 should fix this.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=701


Bug 701 depends on bug 971, which changed state.

Bug 971 Summary: keyboard-interactive/pam leaks info about user existence
http://bugzilla.mindrot.org/show_bug.cgi?id=971

           What    |Old Value                   |New Value
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From dtucker at zip.com.au  2005-01-27 14:48 -------
(In reply to comment #0)
> Also, the following code in auth-password.c
> 
>  #ifndef HAVE_CYGWIN
>    if (pw && pw->pw_uid == 0 &&
options.permit_root_login != PERMIT_YES)
>            ok = 0;
>  #endif
> 
> seems to prevent the auth.c:auth_root_allowed() routine from ever being
> called, meaning that the following log line in auth.c doesn't get
called:
> 
>     logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
> 
> When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
> gets run properly.
The problem with changing this is that the "ROOT LOGIN REFUSED"
message is only
supposed to appear when root authenticated successfully but was denied by
sshd_config.

To deal with potential information leaks (ie bug #971), in the case of an
invalid login, sshd will trash the user's response before handing it back to
PAM, so that PAM behaves the same way for these cases:
 - password wrong
 - password right but denied by sshd_config (PermitRootLogin, AllowUsers etc).

Because of this, sshd will never know if the credentials the user supplied are
valid, which means that it can either log *every* attempt or *none*, but it can
no longer log only the ones that were denied by sshd_config.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=701


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From dtucker at zip.com.au  2005-02-01 19:18 -------
The patch in bug #971 prevents root from logging in via keyboard-interactive
when "PermitRootLogin without-password" and has been in the devel tree
for a
while.  It will be in the next release.  I have removed the comment in
sshd_config.5 since it no longer applies.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.