Hi all, among other things, we provide shell access to various unix based platforms for our students and university staff. Recently, there has been increasing number of root login attacks on one particular Tru64 machine running OpenSSH. The host is configured with "PermitRootLogin no" but every once in a while SIA auth with TCB enhanced security locks the root account. I suppose the problem could be solved at two separate levels, for SIA only in auth-sia.c, or for any password using auth method in auth-passwd.c. I'd prefer a fix just for auth-passwd.c, are there any reasons to try out auth_krb5_password, sshpam_auth_passwd or sys_auth_passwd if variable "ok" is set to zero already? Cheers, -Antti Index: auth-passwd.c ==================================================================RCS file: /openssh/openssh_cvs/auth-passwd.c,v retrieving revision 1.86 diff -u -r1.86 auth-passwd.c --- auth-passwd.c 5 Aug 2006 02:39:39 -0000 1.86 +++ auth-passwd.c 14 Sep 2006 10:54:12 -0000 @@ -88,7 +88,7 @@ #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - ok = 0; + return 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; Index: auth-sia.c ==================================================================RCS file: /openssh/openssh_cvs/auth-sia.c,v retrieving revision 1.18 diff -u -r1.18 auth-sia.c --- auth-sia.c 7 Sep 2006 23:54:41 -0000 1.18 +++ auth-sia.c 14 Sep 2006 10:54:12 -0000 @@ -55,12 +55,14 @@ int ret; SIAENTITY *ent = NULL; const char *host; + struct passwd * pw = authctxt->pw; - host = get_canonical_hostname(options.use_dns); - + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + return (0); if (!authctxt->user || pass == NULL || pass[0] == '\0') return (0); + host = get_canonical_hostname(options.use_dns); if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, NULL, 0, NULL) != SIASUCCESS) return (0); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Hi all, among other things, we provide shell access to various unix based platforms for our students and university staff. Recently, there has been increasing number of root login attacks on one particular Tru64 machine running OpenSSH. The host is configured with "PermitRootLogin no" but every once in a while SIA auth with TCB enhanced security locks the root account. I suppose the problem could be solved at two separate levels, for SIA only in auth-sia.c, or for any password using auth method in auth-passwd.c. I'd prefer a fix just for auth-passwd.c, are there any reasons to try out auth_krb5_password, sshpam_auth_passwd or sys_auth_passwd if variable "ok" is set to zero already? Cheers, -Antti Index: auth-passwd.c ==================================================================RCS file: /openssh/openssh_cvs/auth-passwd.c,v retrieving revision 1.86 diff -u -r1.86 auth-passwd.c --- auth-passwd.c 5 Aug 2006 02:39:39 -0000 1.86 +++ auth-passwd.c 14 Sep 2006 10:54:12 -0000 @@ -88,7 +88,7 @@ #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - ok = 0; + return 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; Index: auth-sia.c ==================================================================RCS file: /openssh/openssh_cvs/auth-sia.c,v retrieving revision 1.18 diff -u -r1.18 auth-sia.c --- auth-sia.c 7 Sep 2006 23:54:41 -0000 1.18 +++ auth-sia.c 14 Sep 2006 10:54:12 -0000 @@ -55,12 +55,14 @@ int ret; SIAENTITY *ent = NULL; const char *host; + struct passwd * pw = authctxt->pw; - host = get_canonical_hostname(options.use_dns); - + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + return (0); if (!authctxt->user || pass == NULL || pass[0] == '\0') return (0); + host = get_canonical_hostname(options.use_dns); if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, NULL, 0, NULL) != SIASUCCESS) return (0);
On Thu, Sep 14, 2006 at 02:20:03PM +0300, Antti Tapaninen wrote:> > Hi all, > > among other things, we provide shell access to various unix based > platforms for our students and university staff. Recently, there has been > increasing number of root login attacks on one particular Tru64 machine > running OpenSSH. > > The host is configured with "PermitRootLogin no" but every once in a while > SIA auth with TCB enhanced security locks the root account. > > I suppose the problem could be solved at two separate levels, for SIA only > in auth-sia.c, or for any password using auth method in auth-passwd.c. > > I'd prefer a fix just for auth-passwd.c, are there any reasons to try out > auth_krb5_password, sshpam_auth_passwd or sys_auth_passwd if variable "ok" > is set to zero already?On platforms where a failed login attempt is noticable by the time it takes, shortcutting the "ok" check leaks information about what is and is not permitted. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Thu, 14 Sep 2006, Darren Tucker wrote:> On platforms where a failed login attempt is noticable by the time it takes, > shortcutting the "ok" check leaks information about what is and is not > permitted.I'm not following, sorry. What do you mean by noticable and leaking information about what is and is not permitted? As for noticing or monitoring failed authentications, auth_log() does a pretty good job informing about user authentications failed and where they came from. I fail to see how it's reasonable to allow anyone attack and even lock root accounts, even though PermitRootLogin sounds like a perfect solution against it. Using auth layers (pam, sia, kdc, something other not so lightweight) for nothing. Thanks, -Antti _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev