Bug 486

Summary: "PermitRootLogin no" can implicitly reveal root password
Product: Portable OpenSSH Reporter: Maik Schreiber <blizzy>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: security    
Priority: P2    
Version: -current   
Hardware: All   
OS: Linux   
Bug Depends on: 387    
Bug Blocks:    

Description Maik Schreiber 2003-02-07 02:46:18 AEDT 
With 3.5p1, when setting "PermitRootLogin no" in /etc/ssh/sshd_config, logging
in as root is disabled, of course.

However, when entering the correct password, ssh prints "Connection reset by
peer" and exits immediately. When entering the wrong password, it will prompt
you again.

I think this qualifies as a security hole, since you can use brute-force tools
to try to login as root. Of course you need to have/hack another account to
actually have the possibility to become root (via su or other means), but at
least you know the password.
Comment 1 Markus Friedl 2003-02-07 07:51:58 AEDT 
are you using PAM?
Comment 2 Markus Friedl 2003-02-07 08:20:33 AEDT 
fixed in -current
Comment 3 Colin Watson 2003-05-06 10:08:35 AEST 
This has reoccurred as of 3.6.1p2. With 3.6.1p1, there was no delay for a root
login when PermitRootLogin was off regardless of whether the supplied password
was correct or not. With 3.6.1p2 and "PermitRootLogin no", an incorrect password
for root incurs a delay while a correct password does not.

(Apologies if this should have been a new bug.)
Comment 4 Damien Miller 2003-06-04 23:32:12 AEST 
definitely fixed in -current (tested PAM and non-PAM)
Comment 5 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED