PermitRootLogin without-password actually does the same as PermitRootLogin yes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
Wishlist
|
Colin Watson |
Bug Description
Automatically imported from Debian bug report #271822 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Wed, 15 Sep 2004 15:58:17 +0200
From: Jonas Meurer <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: PermitRootLogin without-password actually does the same as PermitRootLogin yes
Package: ssh
Version: 1:3.8.1p1-8
Severity: grave
hello,
after i tested it on two differnent boxes, one with up-to-date sarge,
and one with up-to-date sid, i'm quite confident, that the
PermitRootLogin option at sshd_config doesn't understand the
without-password value.
after i changed PermitRootLogin from 'yes' to 'without-password', i was
still able to login from a remote box without any key, and with typing
the root password, not the key passphrase.
i tag this bug as grave, as this is a dangerous security hole. i don't
know how long this appears, but many users may use the feature without
any apprehension that this may open the ssh root account for more
people.
bye
jonas
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-i386
Locale: LANG=en_GB.UTF-8, LC_CTYPE=
Versions of packages ssh depends on:
ii adduser 3.59 Add and remove users and groups
ii debconf 1.4.36 Debian configuration management sy
ii dpkg 1.10.23 Package maintenance system for Deb
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-5 SSL shared libraries
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1.2-1 compression library - runtime
-- debconf information:
ssh/insecure_
ssh/user_
* ssh/forward_
ssh/insecure_
ssh/new_config: true
* ssh/use_
* ssh/SUID_client: true
ssh/ssh2_
* ssh/protocol2_only: true
ssh/encrypted
* ssh/run_sshd: true
In Debian Bug tracker #271822, Frank Lichtenheld (djpig) wrote : Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes | #3 |
On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
> after i tested it on two differnent boxes, one with up-to-date sarge,
> and one with up-to-date sid, i'm quite confident, that the
> PermitRootLogin option at sshd_config doesn't understand the
> without-password value.
>
> after i changed PermitRootLogin from 'yes' to 'without-password', i was
> still able to login from a remote box without any key, and with typing
> the root password, not the key passphrase.
Are you sure you disabled PAM authentication which is the default
authentication method in the current packages? It is documented that
there are password based authentication methods that aren't covered by
without-password:
<quote sshd_config(5)>
If this option is set to ``without-
cation is disabled for root. Note that other authentication
methods (e.g., keyboard-
login using a password.
</quote>
Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 13:13:01 +0200
From: Frank Lichtenheld <email address hidden>
To: Jonas Meurer <email address hidden>, <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
yes
On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
> after i tested it on two differnent boxes, one with up-to-date sarge,
> and one with up-to-date sid, i'm quite confident, that the
> PermitRootLogin option at sshd_config doesn't understand the
> without-password value.
>
> after i changed PermitRootLogin from 'yes' to 'without-password', i was
> still able to login from a remote box without any key, and with typing
> the root password, not the key passphrase.
Are you sure you disabled PAM authentication which is the default
authentication method in the current packages? It is documented that
there are password based authentication methods that aren't covered by
without-password:
<quote sshd_config(5)>
If this option is set to ``without-
cation is disabled for root. Note that other authentication
methods (e.g., keyboard-
login using a password.
</quote>
Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://
In Debian Bug tracker #271822, mejo (jonas-freesources) wrote : | #5 |
On 16/09/2004 Frank Lichtenheld wrote:
> On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
> > after i changed PermitRootLogin from 'yes' to 'without-password', i was
> > still able to login from a remote box without any key, and with typing
> > the root password, not the key passphrase.
>
> Are you sure you disabled PAM authentication which is the default
> authentication method in the current packages? It is documented that
> there are password based authentication methods that aren't covered by
> without-password:
> <quote sshd_config(5)>
> If this option is set to ``without-
> cation is disabled for root. Note that other authentication
> methods (e.g., keyboard-
> login using a password.
> </quote>
if i use
UsePAM no
even normal user pam logins don't work any longer.
that's not what i want.
bye
jonas
In Debian Bug tracker #271822, mejo (jonas-freesources) wrote : pam disabled, passwordauthentication yes works, changed to wishlist | #6 |
severity 271822 wishlist
thanks
hello,
without using PAM, but enabling PasswordAuthent
'without-password' option for PermitRootLogin works quite well:
PasswordAuthent
UsePAM no
anyway, it would be nice to document this somewhere.
bye
jonas
In Debian Bug tracker #271822, Frank Lichtenheld (djpig) wrote : Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes | #7 |
On Thu, Sep 16, 2004 at 04:15:42PM +0200, Jonas Meurer wrote:
> On 16/09/2004 Frank Lichtenheld wrote:
[...]
> > Are you sure you disabled PAM authentication which is the default
> > authentication method in the current packages? It is documented that
> > there are password based authentication methods that aren't covered by
> > without-password:
[...]
>
> if i use
> UsePAM no
>
> even normal user pam logins don't work any longer.
>
> that's not what i want.
Hmm, but the bug isn't "grave" then because it isn't undocumented
as you stated, is it? (I'm not the ssh maintainer, so it's not
my decision anyway...)
Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 16:15:42 +0200
From: Jonas Meurer <email address hidden>
To: Frank Lichtenheld <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
yes
On 16/09/2004 Frank Lichtenheld wrote:
> On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
> > after i changed PermitRootLogin from 'yes' to 'without-password', i was
> > still able to login from a remote box without any key, and with typing
> > the root password, not the key passphrase.
>
> Are you sure you disabled PAM authentication which is the default
> authentication method in the current packages? It is documented that
> there are password based authentication methods that aren't covered by
> without-password:
> <quote sshd_config(5)>
> If this option is set to ``without-
> cation is disabled for root. Note that other authentication
> methods (e.g., keyboard-
> login using a password.
> </quote>
if i use
UsePAM no
even normal user pam logins don't work any longer.
that's not what i want.
bye
jonas
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 16:30:52 +0200
From: Jonas Meurer <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: pam disabled, passwordauthent
severity 271822 wishlist
thanks
hello,
without using PAM, but enabling PasswordAuthent
'without-password' option for PermitRootLogin works quite well:
PasswordAuthent
UsePAM no
anyway, it would be nice to document this somewhere.
bye
jonas
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 17:04:41 +0200
From: Frank Lichtenheld <email address hidden>
To: Jonas Meurer <email address hidden>, <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
yes
On Thu, Sep 16, 2004 at 04:15:42PM +0200, Jonas Meurer wrote:
> On 16/09/2004 Frank Lichtenheld wrote:
[...]
> > Are you sure you disabled PAM authentication which is the default
> > authentication method in the current packages? It is documented that
> > there are password based authentication methods that aren't covered by
> > without-password:
[...]
>
> if i use
> UsePAM no
>
> even normal user pam logins don't work any longer.
>
> that's not what i want.
Hmm, but the bug isn't "grave" then because it isn't undocumented
as you stated, is it? (I'm not the ssh maintainer, so it's not
my decision anyway...)
Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://
In Debian Bug tracker #271822, Christian Guggenberger (christian-guggenberger) wrote : Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes | #11 |
>On 16/09/2004 Frank Lichtenheld wrote:
>> On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
>> > after i changed PermitRootLogin from 'yes' to 'without-password', i was
>> > still able to login from a remote box without any key, and with typing
>> > the root password, not the key passphrase.
>>
>> Are you sure you disabled PAM authentication which is the default
>> authentication method in the current packages? It is documented that
>> there are password based authentication methods that aren't covered by
>> without-password:
>> <quote sshd_config(5)>
>> If this option is set to ``without-
>> cation is disabled for root. Note that other authentication
>> methods (e.g., keyboard-
>> login using a password.
>> </quote>
>if i use
>UsePAM no
>
>even normal user pam logins don't work any longer.
>
>that's not what i want.
well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
This will prevent root logins with password when 'without-password' is set.
Keep in mind that in this case passwords will go encrypted over the net.
cheers.
- Christian
--
\|/ ____ \|/
"@'/ .. \'@"
/_| \__/ |_\
\__U_/
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <1095984517.
Date: Fri, 24 Sep 2004 02:08:37 +0200
From: Christian Guggenberger <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes
>On 16/09/2004 Frank Lichtenheld wrote:
>> On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
>> > after i changed PermitRootLogin from 'yes' to 'without-password', i was
>> > still able to login from a remote box without any key, and with typing
>> > the root password, not the key passphrase.
>>
>> Are you sure you disabled PAM authentication which is the default
>> authentication method in the current packages? It is documented that
>> there are password based authentication methods that aren't covered by
>> without-password:
>> <quote sshd_config(5)>
>> If this option is set to ``without-
>> cation is disabled for root. Note that other authentication
>> methods (e.g., keyboard-
>> login using a password.
>> </quote>
>if i use
>UsePAM no
>
>even normal user pam logins don't work any longer.
>
>that's not what i want.
well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
This will prevent root logins with password when 'without-password' is set.
Keep in mind that in this case passwords will go encrypted over the net.
cheers.
- Christian
--
\|/ ____ \|/
"@'/ .. \'@"
/_| \__/ |_\
\__U_/
In Debian Bug tracker #271822, mejo (jonas-freesources) wrote : Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes | #13 |
On 24/09/2004 Christian Guggenberger wrote:
> >if i use
> >UsePAM no
> >
> >even normal user pam logins don't work any longer.
> >
> >that's not what i want.
>
> well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> This will prevent root logins with password when 'without-password' is set.
> Keep in mind that in this case passwords will go encrypted over the net.
yes, that works, as well as UsePAM no and PasswordAuthent
works. but it should be documented somewhere.
bye
jonas
In Debian Bug tracker #271822, mejo (jonas-freesources) wrote : | #14 |
On 24/09/2004 Christian Guggenberger wrote:
> well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> This will prevent root logins with password when 'without-password' is set.
> Keep in mind that in this case passwords will go encrypted over the net.
well, i forgot ...
you _always_ have to turn on PasswordAuthent
normal users logins, that's the relevant point. the setting of
ChallengeRespon
it matters only for the issue whether root still is able to login with
his plain password.
and that's the confusing part, when i set UsePAM to yes,
ChallengeRespon
without-password, i expect root password login to be denied, but not
normal user password logins.
anyway, to make it work, you have to set PasswordAuthent
bye
jonas
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Fri, 24 Sep 2004 16:17:28 +0200
From: Jonas Meurer <email address hidden>
To: Christian Guggenberger <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
yes
On 24/09/2004 Christian Guggenberger wrote:
> >if i use
> >UsePAM no
> >
> >even normal user pam logins don't work any longer.
> >
> >that's not what i want.
>
> well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> This will prevent root logins with password when 'without-password' is set.
> Keep in mind that in this case passwords will go encrypted over the net.
yes, that works, as well as UsePAM no and PasswordAuthent
works. but it should be documented somewhere.
bye
jonas
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Fri, 24 Sep 2004 16:27:17 +0200
From: Jonas Meurer <email address hidden>
To: Christian Guggenberger <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
yes
On 24/09/2004 Christian Guggenberger wrote:
> well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> This will prevent root logins with password when 'without-password' is set.
> Keep in mind that in this case passwords will go encrypted over the net.
well, i forgot ...
you _always_ have to turn on PasswordAuthent
normal users logins, that's the relevant point. the setting of
ChallengeRespon
it matters only for the issue whether root still is able to login with
his plain password.
and that's the confusing part, when i set UsePAM to yes,
ChallengeRespon
without-password, i expect root password login to be denied, but not
normal user password logins.
anyway, to make it work, you have to set PasswordAuthent
bye
jonas
In Debian Bug tracker #271822, Christian Guggenberger (christian-guggenberger) wrote : Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes | #17 |
On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote:
> On 24/09/2004 Christian Guggenberger wrote:
> > well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> > This will prevent root logins with password when 'without-password' is set.
> > Keep in mind that in this case passwords will go encrypted over the net.
>
> well, i forgot ...
> you _always_ have to turn on PasswordAuthent
> normal users logins, that's the relevant point. the setting of
> ChallengeRespon
>
well, that's not true. Even with PasswordAuthent
users will be allowed in with their passwords via ChallengeResponse
Authentificatio
really _does_ matter.
But, as discussed earlier, then you have to disallow root logins
completely via ssh - the "without-password" option is not as fine
granulated as should/could be; it does not distinguish between ssh
rsd/dsa keys and s/keys. I think upstream is working on a finer
granulated scheme for that option. (i don't have the related openssh
bugID handy, sorry)
cheers.
- Christian
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <1096409990.
Date: Wed, 29 Sep 2004 00:19:50 +0200
From: Christian Guggenberger <email address hidden>
To: Jonas Meurer <email address hidden>
Cc: <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the
same as PermitRootLogin yes
On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote:
> On 24/09/2004 Christian Guggenberger wrote:
> > well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> > This will prevent root logins with password when 'without-password' is set.
> > Keep in mind that in this case passwords will go encrypted over the net.
>
> well, i forgot ...
> you _always_ have to turn on PasswordAuthent
> normal users logins, that's the relevant point. the setting of
> ChallengeRespon
>
well, that's not true. Even with PasswordAuthent
users will be allowed in with their passwords via ChallengeResponse
Authentificatio
really _does_ matter.
But, as discussed earlier, then you have to disallow root logins
completely via ssh - the "without-password" option is not as fine
granulated as should/could be; it does not distinguish between ssh
rsd/dsa keys and s/keys. I think upstream is working on a finer
granulated scheme for that option. (i don't have the related openssh
bugID handy, sorry)
cheers.
- Christian
In Debian Bug tracker #271822, mejo (jonas-freesources) wrote : Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes | #19 |
On 29/09/2004 Christian Guggenberger wrote:
> On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote:
> > you _always_ have to turn on PasswordAuthent
> > normal users logins, that's the relevant point. the setting of
> > ChallengeRespon
>
> well, that's not true. Even with PasswordAuthent
> users will be allowed in with their passwords via ChallengeResponse
> Authentificatio
> really _does_ matter.
ok, but in this case root login without key still works.
> But, as discussed earlier, then you have to disallow root logins
> completely via ssh - the "without-password" option is not as fine
> granulated as should/could be; it does not distinguish between ssh
> rsd/dsa keys and s/keys. I think upstream is working on a finer
> granulated scheme for that option. (i don't have the related openssh
> bugID handy, sorry)
what do you mean with that? what i would like to see, is a "Permission
denied (publickey)" for root login attempts without key, and still
working non-key logins for other users.
bye
jonas
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Thu, 30 Sep 2004 22:53:26 +0200
From: Jonas Meurer <email address hidden>
To: Christian Guggenberger <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin
yes
On 29/09/2004 Christian Guggenberger wrote:
> On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote:
> > you _always_ have to turn on PasswordAuthent
> > normal users logins, that's the relevant point. the setting of
> > ChallengeRespon
>
> well, that's not true. Even with PasswordAuthent
> users will be allowed in with their passwords via ChallengeResponse
> Authentificatio
> really _does_ matter.
ok, but in this case root login without key still works.
> But, as discussed earlier, then you have to disallow root logins
> completely via ssh - the "without-password" option is not as fine
> granulated as should/could be; it does not distinguish between ssh
> rsd/dsa keys and s/keys. I think upstream is working on a finer
> granulated scheme for that option. (i don't have the related openssh
> bugID handy, sorry)
what do you mean with that? what i would like to see, is a "Permission
denied (publickey)" for root login attempts without key, and still
working non-key logins for other users.
bye
jonas
In Debian Bug tracker #271822, Darren Tucker (dtucker) wrote : Debian bug #271822: fixed upstream | #21 |
Hi.
The aforementioned Debian bug has been fixed upstream (and, I believe,
it Debian too since the upstream patch is partially based on one from
Colin Watson).
http://
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Debian Bug Importer (debzilla) wrote : | #22 |
Message-ID: <email address hidden>
Date: Thu, 27 Jan 2005 13:54:54 +1100
From: Darren Tucker <email address hidden>
To: <email address hidden>, Jonas Meurer <email address hidden>
Subject: Debian bug #271822: fixed upstream
Hi.
The aforementioned Debian bug has been fixed upstream (and, I believe,
it Debian too since the upstream patch is partially based on one from
Colin Watson).
http://
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
In Debian Bug tracker #271822, mejo (jonas-freesources) wrote : | #23 |
On 27/01/2005 Darren Tucker wrote:
> Hi.
> The aforementioned Debian bug has been fixed upstream (and, I
> believe, it Debian too since the upstream patch is partially based on one
> from Colin Watson).
>
> http://
thanks a lot, you're correct.
therefore, i closed the bug.
bye
jonas
Debian Bug Importer (debzilla) wrote : | #24 |
Message-ID: <email address hidden>
Date: Thu, 3 Feb 2005 18:12:24 +0100
From: Jonas Meurer <email address hidden>
To: Darren Tucker <email address hidden>
Cc: <email address hidden>
Subject: Re: Debian bug #271822: fixed upstream
On 27/01/2005 Darren Tucker wrote:
> Hi.
> The aforementioned Debian bug has been fixed upstream (and, I
> believe, it Debian too since the upstream patch is partially based on one
> from Colin Watson).
>
> http://
thanks a lot, you're correct.
therefore, i closed the bug.
bye
jonas
Colin Watson (cjwatson) wrote : | #25 |
Fixed, according to submitter.
Changed in openssh: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #271822 http:// bugs.debian. org/271822