Bug 486 - "PermitRootLogin no" can implicitly reveal root password
Summary: "PermitRootLogin no" can implicitly reveal root password
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: -current
Hardware: All Linux
: P2 security
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on: 387
Blocks:
  Show dependency treegraph
 
Reported: 2003-02-07 02:46 AEDT by Maik Schreiber
Modified: 2004-04-14 12:24 AEST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Maik Schreiber 2003-02-07 02:46:18 AEDT 
With 3.5p1, when setting "PermitRootLogin no" in /etc/ssh/sshd_config, logging
in as root is disabled, of course.

However, when entering the correct password, ssh prints "Connection reset by
peer" and exits immediately. When entering the wrong password, it will prompt
you again.

I think this qualifies as a security hole, since you can use brute-force tools
to try to login as root. Of course you need to have/hack another account to
actually have the possibility to become root (via su or other means), but at
least you know the password.
Comment 1 Markus Friedl 2003-02-07 07:51:58 AEDT 
are you using PAM?
Comment 2 Markus Friedl 2003-02-07 08:20:33 AEDT 
fixed in -current
Comment 3 Colin Watson 2003-05-06 10:08:35 AEST 
This has reoccurred as of 3.6.1p2. With 3.6.1p1, there was no delay for a root
login when PermitRootLogin was off regardless of whether the supplied password
was correct or not. With 3.6.1p2 and "PermitRootLogin no", an incorrect password
for root incurs a delay while a correct password does not.

(Apologies if this should have been a new bug.)
Comment 4 Damien Miller 2003-06-04 23:32:12 AEST 
definitely fixed in -current (tested PAM and non-PAM)
Comment 5 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED