Bug#390147: openssh-server does not apply pam_access restriction for root user.
Package: openssh-server
Version: 1:4.3p2-3
Severity: important
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages openssh-server depends on:
ii adduser 3.97 Add and remove users and groups
ii debconf [debconf-2.0] 1.5.4 Debian configuration management sy
ii dpkg 1.13.22 package maintenance system for Deb
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libcomerr2 1.39-1 common error description library
ii libkrb53 1.4.4-1 MIT Kerberos runtime libraries
ii libpam-modules 0.79-3.2 Pluggable Authentication Modules f
ii libpam-runtime 0.79-3.2 Runtime support for the PAM librar
ii libpam0g 0.79-3.2 Pluggable Authentication Modules l
ii libselinux1 1.30.28-1 SELinux shared libraries
ii libssl0.9.8 0.9.8c-1 SSL shared libraries
ii libwrap0 7.6.dbs-11 Wietse Venema's TCP wrappers libra
ii openssh-client 1:4.3p2-3 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3-13 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_rshd:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/disable_cr_auth: false
Hello,
I'm trying to use pam_access to manage users and root connection to host. But access
restriction does not seem to apply to root user. For testing purpose, I try to deny
root access using pam_access. The only lines I have in my /etc/security/access.conf
are:
#### CAUTION: ORDER _DOES_ MATTER.
#### Grant access to it group members.
+:it:ALL
#### Deny acces to everyone from everywhere as fallback.
-:ALL:ALL
I've configured sshd to use PAM (UsePAM yes) and uncommented the right line in my /etc/pam.d/ssh file:
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
account required pam_access.so
Login using authorized and unauthorized account works as expected but not for root. I still
can log as root with thoses settings.
Setting sshd log level to debug3 (LogLevel DEBUG3), I've found the following in my auth.log:
....
Sep 29 15:06:08 foo pam_access[13939]: access denied for user `root' from `bar.net'
Sep 29 15:06:08 foo sshd[13939]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
....
Why ssh allow root connection since PAM deny access?
Don't know if it can help, but when setting control for pam_access.so in /etc/pam.d/ssh to requisite, it works the way expected:
....
Sep 29 15:13:27 slb02 pam_access[13975]: access denied for user `root' from `slb01.arbed.agn'
Sep 29 15:13:27 slb02 sshd[13975]: debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
....
Sorry if this is not a bug or if has already been reported.
Thanks for your help,
cedric.
Reply to: