Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 58632 - root password login allowed with without-password set!
Summary: root password login allowed with without-password set!
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-28 00:52 UTC by klavs klavsen
Modified: 2004-07-28 01:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description klavs klavsen 2004-07-28 00:52:57 UTC 
Hi guys,

I just read about several attempts of brute-forcing on ssh servers (on incidents.org) - and wanted decided to just ensure that you couldn't login to my ssh server with password auth (as I've set "PermitRootLogin without-password" and "AllowUsers myuser root") - but I found that it will happily authenticate me without having a key :(
This problem is VERY DANGEROUS - as many times you need root login, for backup purposes or other things, and use the without-password option, to ensure root login can't be bruteforced.


Reproducible: Always
Steps to Reproduce:
1.add the two options mentioned in Details to /etc/sshd/sshd_config
2.restart sshd
3.try to login as root with password..


Actual Results:  
I was let in :(

Expected Results:  
Keep asking me for a password - as it does on atleast 3.7.1 and earlier.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-07-28 01:12:05 UTC 
If you have UsePAM=yes set, it's not a bug, it's by design. If you have UsePAM = yes, it's PAM that decides if root can log in, not "PermitRootLogin". man page for sshd_config makes it quite clear :

     PermitRootLogin
             [...]                                                                                
             If this option is set to ``without-password'' password authenti-
             cation is disabled for root.  Note that other authentication
             methods (e.g., keyboard-interactive/PAM) may still allow root to
             login using a password.

A workaround is to configure ssh PAM stack to deny login access to root, something like :

auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers

This line should be inserted before reference to any other module of type 'auth' that performs actual authentication. The file /etc/ssh/denyusers should contain the only line containing 'root'.

Please confirm that you have UsePAM=yes in your sshd_config, in which case we will close the bug as INVALID. If you feel it's buggy behaviour, feel free to bring up your case to the upstream developers, the OpenSSH team.
Comment 2 klavs klavsen 2004-07-28 01:23:09 UTC 
Thank you very much for that solution(it worked :) - oddly enough it won't let root login (without the pam-change you suggested) with PAM enabled, on 3.7.1 and earlier (on Red Hat 7.x's atleast I've confirmed it) - so they must have changed the behavior in recent versions :(

But since it's appereantly meant to work this way - it's no bug - just an IMHO stupid change :)