search for: permit_root_login

Hi All, While testing another patch, I found that I could not longer log in as root, even if PermitRootLogin was yes. It seems to be the following code in auth_password: $ cvs diff -r1.48 -r1.49 auth-passwd.c [snip] #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_NO_PASSWD) return 0; #endif [snip] Was this intentional? -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good...

...the SIA system (so I get lots of warnings about failed root logins). On systems with a "max failed attempts" setting, the root account can be locked out this way. I started looking at the code, and I'm not sure I understand what I see. In auth-passwd.c, function auth_password checks permit_root_login, but it doesn't stop if it fails. It goes on and calls the authentication function (sys_auth_passwd from auth-sia.c for SIA) but still returns failure. Why? Should I just modify auth-sia.c sys_auth_passwd() to check the permit_root_login option and fail without calling the SIA functions? Her...

...================== RCS file: /openssh/openssh_cvs/auth-passwd.c,v retrieving revision 1.86 diff -u -r1.86 auth-passwd.c --- auth-passwd.c 5 Aug 2006 02:39:39 -0000 1.86 +++ auth-passwd.c 14 Sep 2006 10:54:12 -0000 @@ -88,7 +88,7 @@ #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - ok = 0; + return 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; Index: auth-sia.c =================================================================== RCS file: /openssh/openssh_cvs/auth-sia.c,v retrieving revision 1.18 diff...

...get_remote_ipaddr()); authentication_type = SSH_AUTH_PASSWORD; authenticated = 1; break; @@ -2708,14 +2746,14 @@ } /* Check if the user is logging in as root and root logins are disallowed. */ - if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1) + if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1 && !lets_log) { if (authentication_type == SSH_AUTH_PASSWORD) packet_disconnect("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); }...

I set sshd to deny root login. But I still get a password prompt! So if I get the password right, I get one error message: Received disconnect: ROOT LOGIN REFUSED FROM example.com while if I simply put in a wrong password three times I get Permission denied. If this means I set it up wrong please mail me directly - I'm not subscribed to the list. Otherwise please fix this. -- The

Hello I have few questions about openssh... 1/ there is probably bug in auth-password.c in auth_password function if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; if (*password == '\0' && options.permit_empty_passwd == 0) return 0; /* deny if no user. */ if (pw == NULL) <----------- this should be first checked .... return 0; 2/ do I have to always read whole packed ? In example: I send packet with int and string...

We are heading into a lock here. So we need to get people to test their respective platforms if they wish them to be supported out of the tar file. So if you have any patches you need to ensure your platform works speak up. We are looking at a lock on the 17th. I believe I have an AIX/Cray patch and a Tru64 patch sitting in my mailbox that I'll be looking at soon and more than likely

...ord); + goto out; #else struct passwd * pw = authctxt->pw; char *encrypted_password; @@ -118,19 +123,23 @@ #endif /* deny if no user. */ - if (pw == NULL) - return 0; + if (pw == NULL) { + retval=0 ; goto out; + } #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) { + retval=0 ; goto out; + } #endif - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + if (*password == '\0' && options.permit_empty_pa...

...e: /cvs/openssh_cvs/auth-passwd.c,v retrieving revision 1.45 diff -u -p -r1.45 auth-passwd.c --- auth-passwd.c 15 May 2002 15:59:17 -0000 1.45 +++ auth-passwd.c 14 Jun 2002 08:15:04 -0000 @@ -124,13 +124,6 @@ auth_password(Authctxt *authctxt, const if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; #endif -#ifdef HAVE_CYGWIN - /* - * Empty password is only possible on NT if the user has _really_ - * an empty password and authentication is done, though. - */ - if (!is_winnt) -#endif if (*password == '\0' && options.permit_empty_passwd == 0)...

...# include <crypt.h> *************** *** 114,119 **** --- 117,125 ---- /* deny if no user. */ if (pw == NULL) return 0; + #ifdef _UWIN + return(uwin_mktoken(pw->pw_name,password,UWIN_TOKCLOSE)!=0); + #endif #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; *** readconf.c.orig Mon Feb 04 20:26:35 2002 --- readconf.c Thu May 30 16:55:00 2002 *************** *** 200,206 **** u_short host_port) { Forward *fwd; ! #ifndef HAVE_CYGWIN extern uid_t original_real_uid; if (port < IPPORT_RESERVED && origi...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

...more people haven't run into this...? --- openssh-3.4p1/auth2.c Fri Jun 21 02:21:11 2002 +++ openssh-3.4p1-hap-2/auth2.c Fri Jul 12 15:35:52 2002 @@ -206,6 +206,7 @@ /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && + !options.permit_root_login == PERMIT_FORCED_ONLY && !auth_root_allowed(method)) authenticated = 0; ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...9;t even really know what that is) could be added as well. FWIW, it appears that when using the "password" method the code in auth.c is never reached due to the following code in auth-passwd.c: #ifndef HAVE_CYGWIN if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif meaning that this message in auth.c isn't logged in this case: logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); If no one has any problems with the patch I'll open a bugzilla PR. ---------------------------...

...# that support the -R option to pkgadd. #TEST_DIR=/var/tmp # leave commented out for production build PKGNAME=OpenSSH SYSVINIT_NAME=opensshd MAKE=${MAKE:="make"} SSHDUID=67 # Default privsep uid SSHDGID=67 # Default privsep gid # uncomment these next two as needed #PERMIT_ROOT_LOGIN=no #X11_FORWARDING=yes +#USEPAM=yes # list of system directories we do NOT want to change owner/group/perms # when installing our package SYSTEM_DIR="/etc \ @@ -143,6 +144,9 @@ $FAKE_ROOT/${sysconfdir}/sshd_config [ "${X11_FORWARDING}" = yes ] &&am...

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

...h_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; + char *user = authctxt->user; + int success; + + auth_ok = authctxt->valid; /* deny if no user. */ if (pw == NULL) - return 0; + auth_result(0); if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + auth_result(0); if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + auth_result(0); #ifdef KRB5 if (options.kerberos_authentication == 1) { - int ret = auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) -...

http://bugzilla.mindrot.org/show_bug.cgi?id=701 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |971 ------- Additional Comments From dtucker at zip.com.au 2005-01-11 18:25 ------- Patch attachment #766 in bug #971 should fix this.

Hey there, I''m new to hiera and I'' m looking to configure it to use multiple environments. I''m able to query hiera keys from using the hiera CLI, however my clients seem to be having problems identifying the look up variables. *On the puppet master, CLI query* [root@puppet-dev puppet]# hiera -a sshpackages environment=development ["openssh",

...ent as there may be sites with PermitRootLogin set to 'without-password' who are using PAM for logins and who are unaware that root can still log in with a password. Also, the following code in auth-password.c #ifndef HAVE_CYGWIN if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif seems to prevent the auth.c:auth_root_allowed() routine from ever being called, meaning that the following log line in auth.c doesn't get called: logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); When the code in auth-passwd...

...servconf.h 23 Jan 2002 11:11:29 -0000 @@ -24,6 +24,7 @@ #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ +#define MAX_AUTHKEYFILES 256 /* Max # authorized_keys statements */ /* permit_root_login */ #define PERMIT_NOT_SET -1 @@ -126,8 +127,12 @@ * disconnect the session */ - char *authorized_keys_file; /* File containing public keys */ - char *authorized_keys_file2; + + char *authorized_keys_files[MAX_AUTHKEYFILES]; /* + * Files containing + * publi...