Hi all, I think that there is a security problem with the PermitRootLogin option. I asked an root ssh connection: $ ssh root at machine root at machine's password: I typed no password, this prompt stayed in place. In a second time, I changed the PermitRootLogin to no, and then restart ssh server. Third, I typed the password on the previous prompt, and the access was allowed. I then retry to connect and, at this time, the root connection was disallowed, as expected. So, is it possible to inform the ssh client that the ssh server has restarted when he gives a prompt? Thank you for your help. P.S: I didn't see how to subscribe to this list, so I cannot follow your responses. Can anyone send me how to subscibe? P.P.S: The ssh server was a Linux Fedora Core 4, up to date, with openssh v. 4.2p_1. --- Micha?l Hooreman Keyware Transaction and Processing Rue Laid Burniad, 4 1348 - Louvain-La-Neuve Belgium Tel : +32 (0)10 48 01 21 Fax : +32 (0)10 45 77 67 mhooreman at be.keyware.com
Hi, On Mon, Feb 13, 2006 at 12:02:56PM +0100, Micha?l Hooreman wrote:> In a second time, I changed the PermitRootLogin to no, and then restart > ssh server. > > Third, I typed the password on the previous prompt, and the access was > allowed.Actually, you have not "restarted ssh server" - you have restarted the process that handles *new* connections, but you have NOT restarted the process that was already handling this specific connection, sitting at the password prompt. If you stop *all* sshd processes, you'll see that the connection will also go away. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
On Mon, Feb 13, 2006 at 12:02:56PM +0100, Micha?l Hooreman wrote:> I think that there is a security problem with the PermitRootLogin > option. > > I asked an root ssh connection: > > $ ssh root at machine > root at machine's password: > > I typed no password, this prompt stayed in place. > > In a second time, I changed the PermitRootLogin to no, and then restart > ssh server. > > Third, I typed the password on the previous prompt, and the access was > allowed.That's how most Unix daemons work: once the copy started to handle the connection is forked it's an independant process. If it matters to you, also kill off any running sshd's when you restart (but be careful not to kill the one you're connecting by). The session can only remain active for LoginGraceTime anyway (which by default is 2 min).> I then retry to connect and, at this time, the root connection was > disallowed, as expected. > > So, is it possible to inform the ssh client that the ssh server has > restarted when he gives a prompt?Not easily and/or without the risk of killing off active sessions. Some vendors' sshd restart scripts used to do that kind of thing (ie "pkill sshd"), and as the victim of one of them (on a remote, fortunately non-production machine), I'm not keen to see it make a comeback. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.