bugzilla-daemon at mindrot.org
2003-Feb-06 15:46 UTC
[Bug 486] New: "PermitRootLogin no" can implicitly reveal root password
http://bugzilla.mindrot.org/show_bug.cgi?id=486
Summary: "PermitRootLogin no" can implicitly reveal root
password
Product: Portable OpenSSH
Version: 3.5p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: security
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: blizzy at blizzy.de
With 3.5p1, when setting "PermitRootLogin no" in /etc/ssh/sshd_config,
logging
in as root is disabled, of course.
However, when entering the correct password, ssh prints "Connection reset
by
peer" and exits immediately. When entering the wrong password, it will
prompt
you again.
I think this qualifies as a security hole, since you can use brute-force tools
to try to login as root. Of course you need to have/hack another account to
actually have the possibility to become root (via su or other means), but at
least you know the password.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Frank Cusack
2003-Feb-23 01:33 UTC
[Bug 486] New: "PermitRootLogin no" can implicitly reveal root password
Can someone (Markus?) point me to the change which fixes this? Is there a publically available mailing list archive where CVS logs can be found? thx /fc On Fri, Feb 07, 2003 at 02:46:19AM +1100, bugzilla-daemon at mindrot.org wrote:> http://bugzilla.mindrot.org/show_bug.cgi?id=486 > > Summary: "PermitRootLogin no" can implicitly reveal root password > Product: Portable OpenSSH > Version: 3.5p1 > Platform: All > OS/Version: Linux > Status: NEW > Severity: security > Priority: P2 > Component: sshd > AssignedTo: openssh-unix-dev at mindrot.org > ReportedBy: blizzy at blizzy.de > > > With 3.5p1, when setting "PermitRootLogin no" in /etc/ssh/sshd_config, logging > in as root is disabled, of course. > > However, when entering the correct password, ssh prints "Connection reset by > peer" and exits immediately. When entering the wrong password, it will prompt > you again. > > I think this qualifies as a security hole, since you can use brute-force tools > to try to login as root. Of course you need to have/hack another account to > actually have the possibility to become root (via su or other means), but at > least you know the password. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
Markus Friedl
2003-Feb-23 11:28 UTC
[Bug 486] New: "PermitRootLogin no" can implicitly reveal root password
On Sat, Feb 22, 2003 at 05:33:29PM -0800, Frank Cusack wrote:> Can someone (Markus?) point me to the change which fixes this? Is > there a publically available mailing list archive where CVS logs > can be found?i backed out the first patch from bug #387.
Apparently Analagous Threads
- [Bug 486] "PermitRootLogin no" can implicitly reveal root password
- [Bug 486] "PermitRootLogin no" can implicitly reveal root password
- "PermitRootLogin no" should not proceed with root login
- "PermitRootLogin no" fails
- PermitRootLogin=yes no longer lets root login