Summary: | root password login allowed with without-password set! | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | klavs klavsen <kl> |
Component: | [OLD] Server | Assignee: | Gentoo Linux bug wranglers <bug-wranglers> |
Status: | RESOLVED INVALID | ||
Severity: | critical | CC: | koon |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
klavs klavsen
2004-07-28 00:52:57 UTC
If you have UsePAM=yes set, it's not a bug, it's by design. If you have UsePAM = yes, it's PAM that decides if root can log in, not "PermitRootLogin". man page for sshd_config makes it quite clear : PermitRootLogin [...] If this option is set to ``without-password'' password authenti- cation is disabled for root. Note that other authentication methods (e.g., keyboard-interactive/PAM) may still allow root to login using a password. A workaround is to configure ssh PAM stack to deny login access to root, something like : auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers This line should be inserted before reference to any other module of type 'auth' that performs actual authentication. The file /etc/ssh/denyusers should contain the only line containing 'root'. Please confirm that you have UsePAM=yes in your sshd_config, in which case we will close the bug as INVALID. If you feel it's buggy behaviour, feel free to bring up your case to the upstream developers, the OpenSSH team. Thank you very much for that solution(it worked :) - oddly enough it won't let root login (without the pam-change you suggested) with PAM enabled, on 3.7.1 and earlier (on Red Hat 7.x's atleast I've confirmed it) - so they must have changed the behavior in recent versions :( But since it's appereantly meant to work this way - it's no bug - just an IMHO stupid change :) |