Bug#390147: openssh-server does not apply pam_access restriction for root user.

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#390147: openssh-server does not apply pam_access restriction for root user.
From: Cedric Lejeune <cedric.lejeune@arcelor.com>
Date: Fri, 29 Sep 2006 15:19:15 +0200
Message-id: <[🔎] 20060929131915.13869.74564.reportbug@slb02.arbed.agn>
Reply-to: Cedric Lejeune <cedric.lejeune@arcelor.com>, 390147@bugs.debian.org

Package: openssh-server
Version: 1:4.3p2-3
Severity: important



-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages openssh-server depends on:
ii  adduser                      3.97        Add and remove users and groups
ii  debconf [debconf-2.0]        1.5.4       Debian configuration management sy
ii  dpkg                         1.13.22     package maintenance system for Deb
ii  libc6                        2.3.6.ds1-4 GNU C Library: Shared libraries
ii  libcomerr2                   1.39-1      common error description library
ii  libkrb53                     1.4.4-1     MIT Kerberos runtime libraries
ii  libpam-modules               0.79-3.2    Pluggable Authentication Modules f
ii  libpam-runtime               0.79-3.2    Runtime support for the PAM librar
ii  libpam0g                     0.79-3.2    Pluggable Authentication Modules l
ii  libselinux1                  1.30.28-1   SELinux shared libraries
ii  libssl0.9.8                  0.9.8c-1    SSL shared libraries
ii  libwrap0                     7.6.dbs-11  Wietse Venema's TCP wrappers libra
ii  openssh-client               1:4.3p2-3   Secure shell client, an rlogin/rsh
ii  zlib1g                       1:1.2.3-13  compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/disable_cr_auth: false

Hello,

I'm trying to use pam_access to manage users and root connection to host. But access
restriction does not seem to apply to root user. For testing purpose, I try to deny
root access using pam_access. The only lines I have in my /etc/security/access.conf
are:

#### CAUTION: ORDER _DOES_ MATTER.

#### Grant access to it group members.
+:it:ALL

#### Deny acces to everyone from everywhere as fallback.
-:ALL:ALL

I've configured sshd to use PAM (UsePAM yes) and uncommented the right line in my /etc/pam.d/ssh file:

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
account  required     pam_access.so

Login using authorized and unauthorized account works as expected but not for root. I still
can log as root with thoses settings.

Setting sshd log level to debug3 (LogLevel DEBUG3), I've found the following in my auth.log:

....
Sep 29 15:06:08 foo pam_access[13939]: access denied for user `root' from `bar.net'
Sep 29 15:06:08 foo sshd[13939]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
....

Why ssh allow root connection since PAM deny access?

Don't know if it can help, but when setting control for pam_access.so in /etc/pam.d/ssh to requisite, it works the way expected:

....
Sep 29 15:13:27 slb02 pam_access[13975]: access denied for user `root' from `slb01.arbed.agn'
Sep 29 15:13:27 slb02 sshd[13975]: debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
....

Sorry if this is not a bug or if has already been reported.

Thanks for your help,

cedric.

Reply to:

Prev by Date: Processed: tagging 389995
Next by Date: Accepted openssh 1:4.3p2-4 (source all powerpc)
Previous by thread: Processed: tagging 389995
Next by thread: Accepted openssh 1:4.3p2-4 (source all powerpc)
Index(es):
- Date
- Thread