When the directive PermitRootLogin is specified as 'without-password', root can still log in with a password using the 'keyboard-interactive/pam' method and possibly others. The fix is to permit only certain methods to allow root logins, and deny the rest. The patch I will be providing currently only allows root to login with the 'publickey' method. Others can be added as necessary, but as methods are added in the future they will default to not allowing root to login when PermitRootLogin is set to 'without-password' unless specified in this routine. (This is different from the patch I sent to the list which allowed root to login with all methods except those explicitly denied). This may warrant a security announcement as there may be sites with PermitRootLogin set to 'without-password' who are using PAM for logins and who are unaware that root can still log in with a password. Also, the following code in auth-password.c #ifndef HAVE_CYGWIN if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif seems to prevent the auth.c:auth_root_allowed() routine from ever being called, meaning that the following log line in auth.c doesn't get called: logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed() gets run properly.
Created attachment 446 [details] Allows only 'publickey' method when 'PermitRootLogin' is set to 'without-password'
the problem is that login via PAM might be anything, so the pam modules have to restrict things. what should be done if pam auth might be s/key? then "without-passwd" should allow login? or not? i think that if pam is used then pam has to be configured properly.
patch looks good. will work on something similar.
Perhaps then, the wording of the sshd_config(8) man page should be modified somewhat: Change If this option is set to ``without-password'' password authentication is disabled for root. to If this option is set to ``without-password'', logins via the OpenSSH password authentication method are disabled for root. Other authentication methods (e.g., PAM) may still allow root to login via a password. Would anyone be interested in a 'publickey' setting for the 'PermitRootLogin' directive? I should be able to code one up in the next day or so. This would remove any ambiguity and lock down logins to publickey only. (Sorry if this is a dup -- I responded via email to Markus' first comment and it didn't show up -- I'm obviously Bugzilla-impaired :->) Jim
*** Bug 713 has been marked as a duplicate of this bug. ***
The current plan is to switch away from the current "without-password" to a positive list of allowed methods, e.g. PermitRootLogin pubkey,hostbased,keyboard-interactive and keep "without-password" as an alias for something like "pubkey,hostbased" One thing that isn't clear is whether or not keyboard-interactive should specify the specific "devices", eg keyboard-interactive/pam.
For the time being, please at least add an appropriate note to sshd_config. I'm glad I tested whether setting "PermitRoot without-password" really works. It took me quite some time to figure out WTF was happening.
The warning has already been added and is in 3.8.1p1: - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning from bug #701 (text from jfh at cise.ufl.edu).
Great! It's even on the master site already. What's the usual mirror update frequency?
Don't know (it's probably going to vary depending on the mirror).
Patch attachment #766 [details] in bug #971 should fix this.
(In reply to comment #0) > Also, the following code in auth-password.c > > #ifndef HAVE_CYGWIN > if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) > ok = 0; > #endif > > seems to prevent the auth.c:auth_root_allowed() routine from ever being > called, meaning that the following log line in auth.c doesn't get called: > > logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); > > When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed() > gets run properly. The problem with changing this is that the "ROOT LOGIN REFUSED" message is only supposed to appear when root authenticated successfully but was denied by sshd_config. To deal with potential information leaks (ie bug #971), in the case of an invalid login, sshd will trash the user's response before handing it back to PAM, so that PAM behaves the same way for these cases: - password wrong - password right but denied by sshd_config (PermitRootLogin, AllowUsers etc). Because of this, sshd will never know if the credentials the user supplied are valid, which means that it can either log *every* attempt or *none*, but it can no longer log only the ones that were denied by sshd_config.
The patch in bug #971 prevents root from logging in via keyboard-interactive when "PermitRootLogin without-password" and has been in the devel tree for a while. It will be in the next release. I have removed the comment in sshd_config.5 since it no longer applies.
With the release of OpenSSH 4.0, these bugs are now closed. For details, see: http://www.openssh.com/txt/release-4.0