similar to: [Bug 325] PermitRootLogin forced-commands-only & privsep - not working together

I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA, the root login attempts still get passed to the SIA system (so I get lots of warnings about failed root logins). On systems with a "max failed attempts" setting, the root account can be locked out this way. I started looking at the code, and I'm not sure I understand what I see. In auth-passwd.c,

http://bugzilla.mindrot.org/show_bug.cgi?id=325 Summary: PermitRootLogin forced-commands-only & privsep - not working together Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo:

http://bugzilla.mindrot.org/show_bug.cgi?id=325 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From markus at openbsd.org 2002-08-22

It works for the "yes" case but not for the "without-password" case. The function that checks (auth_root_allowed(auth_method) is special cased for "password". The Pam case sends "keyboard-interactive/pam" which like all other authentication methods except password succeeds. Here is a patch to make it work for me. Please feel free to criticize as

https://bugzilla.mindrot.org/show_bug.cgi?id=2061 Bug ID: 2061 Summary: Request for PermitRootLogin to be enforced prior to credential check Classification: Unclassified Product: Portable OpenSSH Version: 6.1p1 Hardware: Other OS: OpenBSD Status: NEW Severity: enhancement

Hello, I found this lurking around the web, and thought people who are running SSH-1.2.27 might be interested. -- Kevin Sindhu <kevin at tgivan dot com> Systems Engineer TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Avenue Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. -------------- next part -------------- Welcome Root Kit SSH distribution v5.0 (by Zelea) This

http://bugzilla.mindrot.org/show_bug.cgi?id=701 Summary: With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' Product: Portable OpenSSH Version: 3.7.1p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority:

Hi All, While testing another patch, I found that I could not longer log in as root, even if PermitRootLogin was yes. It seems to be the following code in auth_password: $ cvs diff -r1.48 -r1.49 auth-passwd.c [snip] #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + if (pw->pw_uid == 0 && options.permit_root_login !=

Hi all, among other things, we provide shell access to various unix based platforms for our students and university staff. Recently, there has been increasing number of root login attacks on one particular Tru64 machine running OpenSSH. The host is configured with "PermitRootLogin no" but every once in a while SIA auth with TCB enhanced security locks the root account. I suppose

Hi, I am using OpenSSH 3.9p1. For " UsePAM yes/no " option with " PermitRootLogin without-password", the server functionality differs. For " UsePAM yes ", the server allows authentication thru password, meanwhile " UsePAM no " does not. I have fixed that problem and the patch is given below.

The primary purpose of the attached patches is for portable OpenSSH to support changing expired passwords as specified in shadow password files. To support that, I did a couple enhancements to the base OpenBSD OpenSSH code. They are: 1. Consolidated the handling of "forced_command" into a do_exec() function in session.c. These were being handled inconsistently and allocated

I'm running version 4.7p1 of OpenSSH on a Linux system (it was originally a RedHat system, but I've changed almost everything.) When I originally built OpenSSH I used the config option --without-pam, and installed the software in /usr/local. I explicitly forbade root login with sshd (by setting the PermitRootLogin to "no" in the sshd_config file), but found that I could login as

https://bugzilla.mindrot.org/show_bug.cgi?id=2456 Bug ID: 2456 Summary: gssapi-keyex blocked by PermitRootLogin=without-password Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd

I am a recent convert to openssh. I am very pleased with it, and find it superior to ssh-1.2.27 in many ways (thanks for the good work). I recently found one piece missing from the current release. I have used the 'command' option in the authorized_keys file to restrict access. Using ssh-1.2.27 the original command was placed in the SSH_ORIGINAL_COMMAND envrionment variable. If

I am not 100% positive of the security implications of this, but I really can't see any potential for harm. If this patch is applied (I coded it against the now-current openssh-2.2.0p1), then if (a) the authorized_keys entry has command="whatever" to force a specific command, and also (b) the invoker specified some command on their ssh cmdline, then the invoked command will be

http://bugzilla.mindrot.org/show_bug.cgi?id=1172 Summary: [PATCH] Restrict public key authentication to scp access only Product: Portable OpenSSH Version: 4.3p2 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P2 Component: scp

http://bugzilla.mindrot.org/show_bug.cgi?id=702 Summary: dont call userauth_finish after auth2_challenge_stop Product: Portable OpenSSH Version: 3.7.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org

The previous version broke the case of internal-sftp without arguments. This is a fixed version. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-19 11:28:29.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if

Hi, This patch makes things like ForceCommand internal-sftp -l INFO work (current code in 5.1 would just end the session). Please consider for inclusion into mainline. Michael. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-18 21:12:51.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command;

https://bugzilla.mindrot.org/show_bug.cgi?id=1585 hlein at korelogic.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hlein at korelogic.com -- You are receiving this mail because: You are watching the assignee of the bug.