Mailing List Archive: [Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'

[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'

Jan 10, 2005, 11:25 PM

Post #1 of 4 (221 views)

[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' [ In reply to ]

bugzilla-daemon at mindrot

Jan 19, 2005, 7:29 PM

Post #2 of 4 (219 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=701

Bug 701 depends on bug 971, which changed state.

Bug 971 Summary: keyboard-interactive/pam leaks info about user existence
http://bugzilla.mindrot.org/show_bug.cgi?id=971

What |Old Value |New Value
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' [ In reply to ]

bugzilla-daemon at mindrot

Jan 26, 2005, 7:48 PM

Post #3 of 4 (216 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=701

------- Additional Comments From dtucker@zip.com.au 2005-01-27 14:48 -------
(In reply to comment #0)
> Also, the following code in auth-password.c
>
> #ifndef HAVE_CYGWIN
> if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
> ok = 0;
> #endif
>
> seems to prevent the auth.c:auth_root_allowed() routine from ever being
> called, meaning that the following log line in auth.c doesn't get called:
>
> logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
>
> When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
> gets run properly.

The problem with changing this is that the "ROOT LOGIN REFUSED" message is only
supposed to appear when root authenticated successfully but was denied by
sshd_config.

To deal with potential information leaks (ie bug #971), in the case of an
invalid login, sshd will trash the user's response before handing it back to
PAM, so that PAM behaves the same way for these cases:
- password wrong
- password right but denied by sshd_config (PermitRootLogin, AllowUsers etc).

Because of this, sshd will never know if the credentials the user supplied are
valid, which means that it can either log *every* attempt or *none*, but it can
no longer log only the ones that were denied by sshd_config.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' [ In reply to ]

bugzilla-daemon at mindrot

Feb 1, 2005, 12:18 AM

Post #4 of 4 (215 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=701

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED

------- Additional Comments From dtucker@zip.com.au 2005-02-01 19:18 -------
The patch in bug #971 prevents root from logging in via keyboard-interactive
when "PermitRootLogin without-password" and has been in the devel tree for a
while. It will be in the next release. I have removed the comment in
sshd_config.5 since it no longer applies.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.