Bug#726661: Does not permit login as root from version 1:6.2p2-6

[Simon McVittie <smcv@debian.org>]

I think there are two separate issues here, both with the symptom
"can't log in over ssh as root"; if the maintainer agrees with my
analysis, this bug should probably be cloned.

First one (suggested title: "pam_loginuid(sshd:session): set_loginuid failed"):

On Thu, 17 Oct 2013 at 20:56:15 +0000, Andrea Lusuardi wrote:
> Oct 17 20:11:34 nl-01 sshd[25206]: Accepted password for root from IP port 44676 ssh2
> Oct 17 20:11:34 nl-01 sshd[25206]: pam_loginuid(sshd:session): set_loginuid failed
> Oct 17 20:11:34 nl-01 sshd[25206]: pam_unix(sshd:session): session opened for user root by (uid=0)
> Oct 17 20:11:34 nl-01 sshd[25206]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
> Oct 17 20:11:34 nl-01 sshd[25206]: Received disconnect from IP: 11: disconnected by user

As Darren Tucker pointed out, the issue here is that sshd is running under
sysvinit as pid 1, and has been restarted in the context of the sysadmin's
login session, either by the upgrade itself or by explicit sysadmin action.
This means sshd already has a loginuid set, so its child processes are not
allowed to set a different loginuid for the ssh login session.

systemd as pid 1 would be unaffected by this, because it always starts
services as a direct child of pid 1, never a child of the login session
that requested the service start; Upstart as pid 1 would probably
be unaffected for the same reason.

Second issue, which I think is separate (possible title: "forbidding root
password login by default is awkward for systems with only root user"):

On Sat, 27 Sep 2014 at 10:06:39 -0400, Daniel Richard G. wrote:
> On Sat, 2014 Sep 27 15:40+0200, Thijs Kinkhorst wrote:
> > So am I right to conclude that this bug actually concerns the change
> > that changes PermitRootLogin to without-password?
[...]
> > I think changing this default makes sense from a security perspective
> 
> I won't argue that, but I don't see anything in openssh-server's package
> scripts addressing the case of a system with a root user + password but
> no regular user (i.e. root is the only login available).

I'm not sure that this second issue is release-critical, or even a bug,
although I agree it's annoying for virtual machines. It's certainly
a reasonable feature request.

> IMHO it remains best practice of the installer to ask for enable/disable as
> usual (with default to "no", but I KNOW HOW TO ANSWER....).
> I would be really happy to still have the choice from the installer (this does
> not reduce security of a default installation).

openssh-server already has a debconf question for this, but it's only
used in upgrades, not new installations.

I don't think the installer should ask this at normal priority, because
the more questions the installer asks, the less user-friendly it is;
but it might make sense to default to "PermitRootLogin yes" if no non-system
uids exist, or ask at a low priority for the "expert" installer mode,
or at least make it pre-seedable.

    S