PermitRootLogin without-password actually does the same as PermitRootLogin yes

Automatically imported from Debian bug report #271822 http://bugs.debian.org/271822

Message-ID: <email address hidden>
Date: Wed, 15 Sep 2004 15:58:17 +0200
From: Jonas Meurer <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: PermitRootLogin without-password actually does the same as PermitRootLogin yes

Package: ssh
Version: 1:3.8.1p1-8
Severity: grave

hello,

after i tested it on two differnent boxes, one with up-to-date sarge,
and one with up-to-date sid, i'm quite confident, that the
PermitRootLogin option at sshd_config doesn't understand the
without-password value.

after i changed PermitRootLogin from 'yes' to 'without-password', i was
still able to login from a remote box without any key, and with typing
the root password, not the key passphrase.

i tag this bug as grave, as this is a dangerous security hole. i don't
know how long this appears, but many users may use the feature without
any apprehension that this may open the ssh root account for more
people.

bye
 jonas

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-i386
Locale: LANG=en_GB.UTF-8, LC_CTYPE=de_DE.UTF-8@euro

Versions of packages ssh depends on:
ii adduser 3.59 Add and remove users and groups
ii debconf 1.4.36 Debian configuration management sy
ii dpkg 1.10.23 Package maintenance system for Deb
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-5 SSL shared libraries
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1.2-1 compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
  ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true

Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 13:13:01 +0200
From: Frank Lichtenheld <email address hidden>
To: Jonas Meurer <email address hidden>, <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
 yes

On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
> after i tested it on two differnent boxes, one with up-to-date sarge,
> and one with up-to-date sid, i'm quite confident, that the
> PermitRootLogin option at sshd_config doesn't understand the
> without-password value.
>
> after i changed PermitRootLogin from 'yes' to 'without-password', i was
> still able to login from a remote box without any key, and with typing
> the root password, not the key passphrase.

Are you sure you disabled PAM authentication which is the default
authentication method in the current packages? It is documented that
there are password based authentication methods that aren't covered by
without-password:
<quote sshd_config(5)>
If this option is set to ``without-password'' password authenti-
cation is disabled for root. Note that other authentication
methods (e.g., keyboard-interactive/PAM) may still allow root to
login using a password.
</quote>

Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://www.djpig.de/

Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 16:15:42 +0200
From: Jonas Meurer <email address hidden>
To: Frank Lichtenheld <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
 yes

On 16/09/2004 Frank Lichtenheld wrote:
> On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
> > after i changed PermitRootLogin from 'yes' to 'without-password', i was
> > still able to login from a remote box without any key, and with typing
> > the root password, not the key passphrase.
>
> Are you sure you disabled PAM authentication which is the default
> authentication method in the current packages? It is documented that
> there are password based authentication methods that aren't covered by
> without-password:
> <quote sshd_config(5)>
> If this option is set to ``without-password'' password authenti-
> cation is disabled for root. Note that other authentication
> methods (e.g., keyboard-interactive/PAM) may still allow root to
> login using a password.
> </quote>

if i use
UsePAM no

even normal user pam logins don't work any longer.

that's not what i want.

bye
 jonas

Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 16:30:52 +0200
From: Jonas Meurer <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: pam disabled, passwordauthentication yes works, changed to wishlist

severity 271822 wishlist
thanks

hello,

without using PAM, but enabling PasswordAuthentication the
'without-password' option for PermitRootLogin works quite well:
PasswordAuthentication yes
UsePAM no

anyway, it would be nice to document this somewhere.

bye
 jonas

Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 17:04:41 +0200
From: Frank Lichtenheld <email address hidden>
To: Jonas Meurer <email address hidden>, <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
 yes

On Thu, Sep 16, 2004 at 04:15:42PM +0200, Jonas Meurer wrote:
> On 16/09/2004 Frank Lichtenheld wrote:
[...]
> > Are you sure you disabled PAM authentication which is the default
> > authentication method in the current packages? It is documented that
> > there are password based authentication methods that aren't covered by
> > without-password:
[...]
>
> if i use
> UsePAM no
>
> even normal user pam logins don't work any longer.
>
> that's not what i want.

Hmm, but the bug isn't "grave" then because it isn't undocumented
as you stated, is it? (I'm not the ssh maintainer, so it's not
my decision anyway...)

Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://www.djpig.de/

Message-Id: <1095984517.3312.7.camel@localhost>
Date: Fri, 24 Sep 2004 02:08:37 +0200
From: Christian Guggenberger <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes

>On 16/09/2004 Frank Lichtenheld wrote:
>> On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
>> > after i changed PermitRootLogin from 'yes' to 'without-password', i was
>> > still able to login from a remote box without any key, and with typing
>> > the root password, not the key passphrase.
>>
>> Are you sure you disabled PAM authentication which is the default
>> authentication method in the current packages? It is documented that
>> there are password based authentication methods that aren't covered by
>> without-password:
>> <quote sshd_config(5)>
>> If this option is set to ``without-password'' password authenti-
>> cation is disabled for root. Note that other authentication
>> methods (e.g., keyboard-interactive/PAM) may still allow root to
>> login using a password.
>> </quote>

>if i use
>UsePAM no
>
>even normal user pam logins don't work any longer.
>
>that's not what i want.

well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
This will prevent root logins with password when 'without-password' is set.
Keep in mind that in this case passwords will go encrypted over the net.

cheers.
 - Christian

--
\|/ ____ \|/
"@'/ .. \'@"
/_| \__/ |_\
   \__U_/

Message-ID: <email address hidden>
Date: Fri, 24 Sep 2004 16:17:28 +0200
From: Jonas Meurer <email address hidden>
To: Christian Guggenberger <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
 yes

On 24/09/2004 Christian Guggenberger wrote:
> >if i use
> >UsePAM no
> >
> >even normal user pam logins don't work any longer.
> >
> >that's not what i want.
>
> well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> This will prevent root logins with password when 'without-password' is set.
> Keep in mind that in this case passwords will go encrypted over the net.

yes, that works, as well as UsePAM no and PasswordAuthentication yes
works. but it should be documented somewhere.

bye
 jonas

Message-ID: <email address hidden>
Date: Fri, 24 Sep 2004 16:27:17 +0200
From: Jonas Meurer <email address hidden>
To: Christian Guggenberger <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
 yes

On 24/09/2004 Christian Guggenberger wrote:
> well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> This will prevent root logins with password when 'without-password' is set.
> Keep in mind that in this case passwords will go encrypted over the net.

well, i forgot ...
you _always_ have to turn on PasswordAuthentication, to still allow
normal users logins, that's the relevant point. the setting of
ChallengeResponseAuthentification doesn't matter for that issue.

it matters only for the issue whether root still is able to login with
his plain password.

and that's the confusing part, when i set UsePAM to yes,
ChallengeResponseAuthentification to no, and PermitRootLogin to
without-password, i expect root password login to be denied, but not
normal user password logins.
anyway, to make it work, you have to set PasswordAuthentication.

bye
 jonas

Message-Id: <1096409990.2128.9.camel@localhost>
Date: Wed, 29 Sep 2004 00:19:50 +0200
From: Christian Guggenberger <email address hidden>
To: Jonas Meurer <email address hidden>
Cc: <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the
 same as PermitRootLogin yes

On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote:
> On 24/09/2004 Christian Guggenberger wrote:
> > well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> > This will prevent root logins with password when 'without-password' is set.
> > Keep in mind that in this case passwords will go encrypted over the net.
>
> well, i forgot ...
> you _always_ have to turn on PasswordAuthentication, to still allow
> normal users logins, that's the relevant point. the setting of
> ChallengeResponseAuthentification doesn't matter for that issue.
>
well, that's not true. Even with PasswordAuthentication set no, "normal"
users will be allowed in with their passwords via ChallengeResponse
Authentification/PAM. In that case ChallengeResponseAuthentification
really _does_ matter.

But, as discussed earlier, then you have to disallow root logins
completely via ssh - the "without-password" option is not as fine
granulated as should/could be; it does not distinguish between ssh
rsd/dsa keys and s/keys. I think upstream is working on a finer
granulated scheme for that option. (i don't have the related openssh
bugID handy, sorry)

cheers.
 - Christian

Message-ID: <email address hidden>
Date: Thu, 30 Sep 2004 22:53:26 +0200
From: Jonas Meurer <email address hidden>
To: Christian Guggenberger <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
 yes

On 29/09/2004 Christian Guggenberger wrote:
> On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote:
> > you _always_ have to turn on PasswordAuthentication, to still allow
> > normal users logins, that's the relevant point. the setting of
> > ChallengeResponseAuthentification doesn't matter for that issue.
>
> well, that's not true. Even with PasswordAuthentication set no, "normal"
> users will be allowed in with their passwords via ChallengeResponse
> Authentification/PAM. In that case ChallengeResponseAuthentification
> really _does_ matter.

ok, but in this case root login without key still works.

> But, as discussed earlier, then you have to disallow root logins
> completely via ssh - the "without-password" option is not as fine
> granulated as should/could be; it does not distinguish between ssh
> rsd/dsa keys and s/keys. I think upstream is working on a finer
> granulated scheme for that option. (i don't have the related openssh
> bugID handy, sorry)

what do you mean with that? what i would like to see, is a "Permission
denied (publickey)" for root login attempts without key, and still
working non-key logins for other users.

bye
 jonas

Message-ID: <email address hidden>
Date: Thu, 27 Jan 2005 13:54:54 +1100
From: Darren Tucker <email address hidden>
To: <email address hidden>, Jonas Meurer <email address hidden>
Subject: Debian bug #271822: fixed upstream

Hi.
 The aforementioned Debian bug has been fixed upstream (and, I believe,
it Debian too since the upstream patch is partially based on one from
Colin Watson).

http://bugzilla.mindrot.org/show_bug.cgi?id=971

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Message-ID: <email address hidden>
Date: Thu, 3 Feb 2005 18:12:24 +0100
From: Jonas Meurer <email address hidden>
To: Darren Tucker <email address hidden>
Cc: <email address hidden>
Subject: Re: Debian bug #271822: fixed upstream

On 27/01/2005 Darren Tucker wrote:
> Hi.
> The aforementioned Debian bug has been fixed upstream (and, I
> believe, it Debian too since the upstream patch is partially based on one
> from Colin Watson).
>
> http://bugzilla.mindrot.org/show_bug.cgi?id=971

thanks a lot, you're correct.

therefore, i closed the bug.

bye
 jonas

Fixed, according to submitter.