Bug#548087: openssh-server: if 'PermitRootLogin no' set, PAM should not get auth requests

To: Mark Hedges <hedges@scriptdolphin.org>
Cc: 548087@bugs.debian.org
Subject: Bug#548087: openssh-server: if 'PermitRootLogin no' set, PAM should not get auth requests
From: Russ Allbery <rra@debian.org>
Date: Wed, 23 Sep 2009 12:29:57 -0700
Message-id: <[🔎] 874oqtv4qy.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 548087@bugs.debian.org
In-reply-to: <[🔎] 20090923174408.12495.27774.reportbug@li16-163.members.linode.com> (Mark Hedges's message of "Wed, 23 Sep 2009 10:44:08 -0700")
References: <[🔎] 20090923174408.12495.27774.reportbug@li16-163.members.linode.com>

Mark Hedges <hedges@scriptdolphin.org> writes:

> It seems like, if PermitRootLogin is set to no, authentication requests
> should never be passed to PAM at all once the 'root' username is sent.

It turns out that you don't want to do that (or at least that's the
prevailing security wisdom) because it creates a timing difference that
the attacker can use to detect the PermitRootLogin setting.  ssh
intentionally runs all attempts through the PAM stack but then always
rejects them regardless of the outcome of the PAM authentication so that
the timing is the same as any other login and the attacker can't tell why
they're failing.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Bug#548087: openssh-server: if 'PermitRootLogin no' set, PAM should not get auth requests
  - From: Mark Hedges <hedges@scriptdolphin.org>

Prev by Date: Bug#548087: openssh-server: if 'PermitRootLogin no' set, PAM should not get auth requests
Next by Date: Bug#548087: marked as done (openssh-server: if 'PermitRootLogin no' set, PAM should not get auth requests)
Previous by thread: Bug#548087: openssh-server: if 'PermitRootLogin no' set, PAM should not get auth requests
Next by thread: Bug#548087: marked as done (openssh-server: if 'PermitRootLogin no' set, PAM should not get auth requests)
Index(es):
- Date
- Thread