Re: can't prevent root lockout under Tru64/C2 security

From: Darren Tucker (
Date: 01/31/05

Date: 31 Jan 2005 02:34:06 GMT

On 2005-01-30, msb <> wrote:
> Anyone have any idea why adding these two settings to the sshd config
> does not stop the login attempt in sshd, before reaching the system
> auth db?

Older versions of OpenSSH would not call the system's password
authentication mechanism if it had already decided that the attempt could
never succeed (eg if the user was "root" and PermitRootLogin was set to
"no", or the user is listed in DenyUsers).

Unfortunately, where the authentication mechanism behaved noticably
differently for failed auth attempts (eg PAM if a fail-on-delay is
configured) this allows an attacker to determine whether or a given
password is valid, even though it won't allow them to actually log in.
(This is CAN-2003-0190).

sshd was changed to always call the configured authentication method then
later override the result if necessary. This ensures consistent behaviour
for these situations, which results in the behaviour you're seeing.

There's no way to configure around it in sshd (or at least, I can't
think of one, which is not necessarily the same thing :-)

If you can't configure Tru64's SIA to ignore lockout on root then you can
apply the following patch to OpenSSH 3.9p1 (untested as I have no access
to Tru64 but it's simple).

Index: auth-passwd.c
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v
retrieving revision 1.77
diff -u -p -r1.77 auth-passwd.c
--- auth-passwd.c 24 Jan 2005 11:50:47 -0000 1.77
+++ auth-passwd.c 31 Jan 2005 02:12:54 -0000
@@ -73,14 +73,14 @@ int
 auth_password(Authctxt *authctxt, const char *password)
         struct passwd * pw = authctxt->pw;
- int ok = authctxt->valid;
+ int ok = authctxt->valid, root_ok = 1;
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
         static int expire_checked = 0;
 #ifndef HAVE_CYGWIN
         if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
- ok = 0;
+ root_ok = 0;
         if (*password == '\0' && options.permit_empty_passwd == 0)
                 return 0;
@@ -117,7 +117,7 @@ auth_password(Authctxt *authctxt, const
- return (sys_auth_passwd(authctxt, password) && ok);
+ return (root_ok && sys_auth_passwd(authctxt, password) && ok);
 #ifdef BSD_AUTH

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.