Re: Putty 0.45 vs. SSH Login

To: debian-security@lists.debian.org
Subject: Re: Putty 0.45 vs. SSH Login
From: "Bernhard R. Link" <brl@pcpool00.mathematik.uni-freiburg.de>
Date: Mon, 6 May 2002 18:49:58 +0200
Message-id: <[🔎] 20020506164958.GA26126@pcpool00.mathematik.uni-freiburg.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20020506135221.GA521@tve.dhs.org>
References: <[🔎] 20020505093336.A24873@delfar.ee> <[🔎] 20020505124956.GA1774@darwin.crans.org> <[🔎] 20020505150836.GA2757@tve.dhs.org> <[🔎] 20020505121549.B19227@khazad-dum> <[🔎] 20020505172329.GA496@tve.dhs.org> <[🔎] 20020506130844.GB14004@pcpool00.mathematik.uni-freiburg.de> <[🔎] 20020506135221.GA521@tve.dhs.org>

* Tim van Erven <tripudium@chello.nl> [020506 16:02]:
> > I rather think ssh should check also earlier for root
> > and not even call PAM when root login is not permitted
> > and someone tries to log in as root.
> 
> This will reveal that root login is never permitted. Probably no big
> deal, but it would be nice if it could be avoided.

If it waited some time for itself, then a possible difference between
PAM's waiting time and ssh's waiting time would hard to be detect,
as root may cause other waiting times than other accounts in PAM.
And I prefer, if people know that I let not ssh in, than that they
may be able to check for the root-password.

> I disagree. By that reasoning it would be even better if OpenSSH
> double-checked all of PAM's work. That would add bloat to ssh and
> possibly even introduce new security problems. If you're going to rely
> on PAM, you should rely on PAM.

Thats why I talked about "resonable" security checks. Duplicating all
of PAM's functionality would be bloat. Disenabling possible security
problems by early disabling root seems reasonable to me.

Hochachtungsvoll,
	Bernhard R. Link
-- 
The man who trades freedom for security does not deserve 
nor will he ever receive either. (Benjamin Franklin)


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- CNAME, iptables and qmail
  - From: "Gary MacDougall" <gary@freeportweb.com>

References:
- Putty 0.45 vs. SSH Login
  - From: Rauno "Linnamäe" <raunzz@delfar.ee>
- Re: Putty 0.45 vs. SSH Login
  - From: Vincent Hanquez <tab@crans.org>
- Re: Putty 0.45 vs. SSH Login
  - From: Tim van Erven <tripudium@chello.nl>
- Re: Putty 0.45 vs. SSH Login
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Putty 0.45 vs. SSH Login
  - From: Tim van Erven <tripudium@chello.nl>
- Re: Putty 0.45 vs. SSH Login
  - From: "Bernhard R. Link" <brl@pcpool00.mathematik.uni-freiburg.de>
- Re: Putty 0.45 vs. SSH Login
  - From: Tim van Erven <tripudium@chello.nl>

Prev by Date: Re: sendmail
Next by Date: CNAME, iptables and qmail
Previous by thread: Re: Putty 0.45 vs. SSH Login
Next by thread: CNAME, iptables and qmail
Index(es):
- Date
- Thread