Re: can't prevent root lockout under Tru64/C2 security

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 01/31/05


Date: 31 Jan 2005 02:34:06 GMT

On 2005-01-30, msb <mikebroderick@gmail.com> wrote:
> Anyone have any idea why adding these two settings to the sshd config
> does not stop the login attempt in sshd, before reaching the system
> auth db?

Older versions of OpenSSH would not call the system's password
authentication mechanism if it had already decided that the attempt could
never succeed (eg if the user was "root" and PermitRootLogin was set to
"no", or the user is listed in DenyUsers).

Unfortunately, where the authentication mechanism behaved noticably
differently for failed auth attempts (eg PAM if a fail-on-delay is
configured) this allows an attacker to determine whether or a given
password is valid, even though it won't allow them to actually log in.
(This is CAN-2003-0190).

sshd was changed to always call the configured authentication method then
later override the result if necessary. This ensures consistent behaviour
for these situations, which results in the behaviour you're seeing.

There's no way to configure around it in sshd (or at least, I can't
think of one, which is not necessarily the same thing :-)

If you can't configure Tru64's SIA to ignore lockout on root then you can
apply the following patch to OpenSSH 3.9p1 (untested as I have no access
to Tru64 but it's simple).

Index: auth-passwd.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v
retrieving revision 1.77
diff -u -p -r1.77 auth-passwd.c
--- auth-passwd.c 24 Jan 2005 11:50:47 -0000 1.77
+++ auth-passwd.c 31 Jan 2005 02:12:54 -0000
@@ -73,14 +73,14 @@ int
 auth_password(Authctxt *authctxt, const char *password)
 {
         struct passwd * pw = authctxt->pw;
- int ok = authctxt->valid;
+ int ok = authctxt->valid, root_ok = 1;
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
         static int expire_checked = 0;
 #endif
 
 #ifndef HAVE_CYGWIN
         if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
- ok = 0;
+ root_ok = 0;
 #endif
         if (*password == '\0' && options.permit_empty_passwd == 0)
                 return 0;
@@ -117,7 +117,7 @@ auth_password(Authctxt *authctxt, const
         }
 #endif
                 
- return (sys_auth_passwd(authctxt, password) && ok);
+ return (root_ok && sys_auth_passwd(authctxt, password) && ok);
 }
 
 #ifdef BSD_AUTH

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


Relevant Pages

  • Re: Cant Start 3.4
    ... >>>bianaries and config, goof thing too) because when I try to start the ... >>>separation and compression Compression disabled Privilege separation ... >> You need to created the sshd user..... ... > error he's getting is because, well, privilege separation and compression ...
    (comp.security.ssh)
  • Re: Cant Start 3.4
    ... >>separation and compression Compression disabled Privilege separation user ... > You need to created the sshd user..... ... What you need to do is find the server's config file, ...
    (comp.security.ssh)
  • Re: Path Problems with 4.2p1?
    ... > For example, I keep my ssh config info in /etc/ssh, so when I configure ... Are you running the sshd you just built and installed? ... Good judgement comes with experience. ...
    (comp.security.ssh)
  • Re: SSHD - cant run daemon
    ... >> I am trying to learn the ssh, and was messing around with the config ... >> let me run SSHD anymore. ... there a way to find out what software is listening on those ports? ...
    (comp.security.ssh)
  • 5.1 ssh hang (i have rtfm and googled) long
    ... sshd version ... DNS requests unless the authentication mechanism or ... include RhostsAuthentication, RhostsRSAAuthentication, ... SBC Yahoo! ...
    (freebsd-questions)