[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Putty 0.45 vs. SSH Login

* Tim van Erven <tripudium@chello.nl> [020506 16:02]:
> > I rather think ssh should check also earlier for root
> > and not even call PAM when root login is not permitted
> > and someone tries to log in as root.
> This will reveal that root login is never permitted. Probably no big
> deal, but it would be nice if it could be avoided.

If it waited some time for itself, then a possible difference between
PAM's waiting time and ssh's waiting time would hard to be detect,
as root may cause other waiting times than other accounts in PAM.
And I prefer, if people know that I let not ssh in, than that they
may be able to check for the root-password.

> I disagree. By that reasoning it would be even better if OpenSSH
> double-checked all of PAM's work. That would add bloat to ssh and
> possibly even introduce new security problems. If you're going to rely
> on PAM, you should rely on PAM.

Thats why I talked about "resonable" security checks. Duplicating all
of PAM's functionality would be bloat. Disenabling possible security
problems by early disabling root seems reasonable to me.

	Bernhard R. Link
The man who trades freedom for security does not deserve 
nor will he ever receive either. (Benjamin Franklin)

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: