Mailing List Archive

[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701

Summary: With 'PermitRootPassword without-password' set, root
w/pass can still log in with a using 'keyboard-int/pam'
Product: Portable OpenSSH
Version: 3.7.1p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: jfh@cise.ufl.edu


When the directive PermitRootLogin is specified as 'without-password', root
can still log in with a password using the 'keyboard-interactive/pam' method
and possibly others.

The fix is to permit only certain methods to allow root logins, and deny
the rest. The patch I will be providing currently only allows root to login with
the 'publickey' method. Others can be added as necessary, but as methods are
added in the future they will default to not allowing root to login when
PermitRootLogin is set to 'without-password' unless specified in this routine.
(This is different from the patch I sent to the list which allowed root to
login with all methods except those explicitly denied).

This may warrant a security announcement as there may be sites with
PermitRootLogin set to 'without-password' who are using PAM for logins
and who are unaware that root can still log in with a password.

Also, the following code in auth-password.c

#ifndef HAVE_CYGWIN
if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif

seems to prevent the auth.c:auth_root_allowed() routine from ever being called,
meaning that the following log line in auth.c doesn't get called:

logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());

When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
gets run properly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From jfh@cise.ufl.edu 2003-09-22 23:10 -------
Created an attachment (id=446)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=446&action=view)
Allows only 'publickey' method when 'PermitRootLogin' is set to
'without-password'




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From markus@openbsd.org 2003-09-22 23:17 -------
the problem is that login via PAM might be anything, so the pam
modules have to restrict things.

what should be done if
pam auth might be s/key? then "without-passwd" should
allow login? or not?

i think that if pam is used then pam has to be configured properly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From markus@openbsd.org 2003-09-22 23:42 -------
patch looks good. will work on something similar.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=701





------- Additional Comments From jfh@cise.ufl.edu 2003-09-22 23:49 -------
Perhaps then, the wording of the sshd_config(8) man page should be
modified somewhat:

Change

If this option is set to ``without-password'' password
authentication is disabled for root.

to

If this option is set to ``without-password'', logins via the OpenSSH
password authentication method are disabled for root. Other authentication
methods (e.g., PAM) may still allow root to login via a password.

Would anyone be interested in a 'publickey' setting for the 'PermitRootLogin'
directive? I should be able to code one up in the next day or so. This would
remove any ambiguity and lock down logins to publickey only.

(Sorry if this is a dup -- I responded via email to Markus' first comment
and it didn't show up -- I'm obviously Bugzilla-impaired :->)

Jim




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.