I'm running version 4.7p1 of OpenSSH on a Linux system (it was originally a RedHat system, but I've changed almost everything.) When I originally built OpenSSH I used the config option --without-pam, and installed the software in /usr/local. I explicitly forbade root login with sshd (by setting the PermitRootLogin to "no" in the sshd_config file), but found that I could login as root. Examination of the code revealed that PermitRootLogin is only dealt with in auth-pam.c, which is surrounded by #ifdef USE_PAM/#endif. I rebuilt OpenSSH with the --with-pam option enabled, installed, set PermitRootLogin to "no", and restarted. It still permits root login. This seems to raise two security problems, both serious: 1. PermitRootLogin is never used if sshd is built without PAM support, but the documentation is silent on this. 2. Even if sshd is built with PAM support, PermitRootLogin has no effect. -- ----------------------------------------------------------------------------------------- Wocky | A poem for the lonely: hello. fishcustard at gmail.com | -- Spike Milligan -----------------------------------------------------------------------------------------
Danny Mitchell wrote:> I'm running version 4.7p1 of OpenSSH on a Linux system (it was > originally a RedHat system, but I've changed almost everything.) When > I originally built OpenSSH I used the config option --without-pam, and > installed the software in /usr/local. I explicitly forbade root login > with sshd (by setting the PermitRootLogin to "no" in the sshd_config > file), but found that I could login as root. Examination of the code > revealed that PermitRootLogin is only dealt with in auth-pam.c, which > is surrounded by #ifdef USE_PAM/#endif.It is also checked in auth.c in auth_root_allowed(), which is used as a final check in auth1.c and auth2.c.> I rebuilt OpenSSH with the > --with-pam option enabled, installed, set PermitRootLogin to "no", and > restarted. It still permits root login.What configure options did you build with? Did you remember to use --sysconfdir option to tell it to use the same files as the vendor sshd (probably /etc/ssh)? By default, OpenSSH Portable uses config files in /usr/local/etc. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Reasonably Related Threads
- 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
- [Bug 2456] New: gssapi-keyex blocked by PermitRootLogin=without-password
- PermitRootLogin and Tru64 SIA
- PermitRootLogin without-password functionality differs for UsePAM yes/no option
- [Bug 2061] New: Request for PermitRootLogin to be enforced prior to credential check