3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@
+ - markus@cvs.openbsd.org 2001/02/12 16:16:23
+ [auth-passwd.c auth.c auth.h auth1.c auth2.c servconf.c servconf.h
+ ssh-keygen.c sshd.8]
+ PermitRootLogin={yes,without-password,forced-commands-only,no}
+ (before this change, root could login even if PermitRootLogin==no)
20010214
- (djm) Don't try to close PAM session or delete credentials if the
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.20 2001/01/21 19:05:42 markus Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.21 2001/02/12 16:16:23 markus Exp $");
#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
if (pw == NULL)
return 0;
#ifndef HAVE_CYGWIN
- if (pw->pw_uid == 0 && options.permit_root_login == 2)
+ if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
return 0;
#endif
#ifdef HAVE_CYGWIN
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.16 2001/02/04 15:32:22 stevesk Exp $");
+RCSID("$OpenBSD: auth.c,v 1.17 2001/02/12 16:16:23 markus Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
}
/*
- * Check if the user is logging in as root and root logins are disallowed.
- * Note that root login is _allways_ allowed for forced commands.
+ * Check whether root logins are disallowed.
*/
int
-auth_root_allowed(void)
+auth_root_allowed(char *method)
{
- if (options.permit_root_login)
+ switch (options.permit_root_login) {
+ case PERMIT_YES:
return 1;
- if (forced_command) {
- log("Root login accepted for forced command.");
- return 1;
- } else {
- log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
- return 0;
+ break;
+ case PERMIT_NO_PASSWD:
+ if (strcmp(method, "password") != 0)
+ return 1;
+ break;
+ case PERMIT_FORCED_ONLY:
+ if (forced_command) {
+ log("Root login accepted for forced command.");
+ return 1;
+ }
+ break;
}
+ log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
+ return 0;
}
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $OpenBSD: auth.h,v 1.10 2001/01/21 19:05:43 markus Exp $
+ * $OpenBSD: auth.h,v 1.11 2001/02/12 16:16:23 markus Exp $
*/
#ifndef AUTH_H
#define AUTH_H
Authctxt *authctxt_new(void);
void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info);
void userauth_reply(Authctxt *authctxt, int authenticated);
-int auth_root_allowed(void);
+int auth_root_allowed(char *method);
int auth2_challenge(Authctxt *authctxt, char *devs);
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.15 2001/02/07 22:35:45 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.16 2001/02/12 16:16:23 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
}
#else
/* Special handling for root */
- if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed())
+ if (authenticated && authctxt->pw->pw_uid == 0 &&
+ !auth_root_allowed(get_authname(type)))
authenticated = 0;
#endif
#ifdef USE_PAM
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.40 2001/02/10 12:52:02 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.41 2001/02/12 16:16:23 markus Exp $");
#include <openssl/evp.h>
authctxt->user);
/* Special handling for root */
- if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed())
+ if (authenticated && authctxt->pw->pw_uid == 0 &&
+ !auth_root_allowed(method))
authenticated = 0;
#ifdef USE_PAM
*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.66 2001/02/11 12:59:25 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.67 2001/02/12 16:16:23 markus Exp $");
#ifdef KRB4
#include <krb.h>
options->server_key_bits = -1;
options->login_grace_time = -1;
options->key_regeneration_time = -1;
- options->permit_root_login = -1;
+ options->permit_root_login = PERMIT_NOT_SET;
options->ignore_rhosts = -1;
options->ignore_user_known_hosts = -1;
options->print_motd = -1;
options->login_grace_time = 600;
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
- if (options->permit_root_login == -1)
- options->permit_root_login = 1; /* yes */
+ if (options->permit_root_login == PERMIT_NOT_SET)
+ options->permit_root_login = PERMIT_YES;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
exit(1);
}
if (strcmp(arg, "without-password") == 0)
- value = 2;
+ value = PERMIT_NO_PASSWD;
+ else if (strcmp(arg, "forced-commands-only") == 0)
+ value = PERMIT_FORCED_ONLY;
else if (strcmp(arg, "yes") == 0)
- value = 1;
+ value = PERMIT_YES;
else if (strcmp(arg, "no") == 0)
- value = 0;
+ value = PERMIT_NO;
else {
- fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
- filename, linenum, arg);
+ fprintf(stderr, "%s line %d: Bad yes/"
+ "without-password/forced-commands-only/no "
+ "argument: %s\n", filename, linenum, arg);
exit(1);
}
if (*intptr == -1)
* called by a name other than "ssh" or "Secure Shell".
*/
-/* RCSID("$OpenBSD: servconf.h,v 1.37 2001/02/11 12:59:25 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.38 2001/02/12 16:16:23 markus Exp $"); */
#ifndef SERVCONF_H
#define SERVCONF_H
#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
#define MAX_HOSTKEYS 256 /* Max # hostkeys. */
+/* permit_root_login */
+#define PERMIT_NOT_SET -1
+#define PERMIT_NO 0
+#define PERMIT_FORCED_ONLY 1
+#define PERMIT_NO_PASSWD 2
+#define PERMIT_YES 3
+
+
typedef struct {
u_int num_ports;
u_int ports_from_cmdline;
int login_grace_time; /* Disconnect if no auth in this time
* (sec). */
int key_regeneration_time; /* Server key lifetime (seconds). */
- int permit_root_login; /* If true, permit root login. */
+ int permit_root_login; /* PERMIT_*, see above */
int ignore_rhosts; /* Ignore .rhosts and .shosts. */
int ignore_user_known_hosts; /* Ignore ~/.ssh/known_hosts
* for RhostsRsaAuth */
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.42 2001/02/04 15:32:26 stevesk Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.43 2001/02/12 16:16:23 markus Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
public = key_new(KEY_RSA1);
if (!load_public_key(identity_file, public, NULL)) {
printf("%s is not a valid key file.\n", identity_file);
+ printf("Comments are only supported in RSA1 keys\n");
exit(1);
}
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.93 2001/02/11 12:59:25 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.94 2001/02/12 16:16:24 markus Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
.Xr ssh 1 .
The argument must be
.Dq yes ,
-.Dq without-password
+.Dq without-password ,
+.Dq forced-commands-only
or
.Dq no .
The default is
.Dq yes .
-If this options is set to
+.Pp
+If this option is set to
.Dq without-password
-only password authentication is disabled for root.
+password authentication is disabled for root.
.Pp
-Root login with RSA authentication when the
+If this option is set to
+.Dq forced-commands-only
+root login with public key authentication will be allowed,
+but only if the
.Ar command
-option has been
-specified will be allowed regardless of the value of this setting
+option has been specified
(which may be useful for taking remote backups even if root login is
-normally not allowed).
+normally not allowed). All other authentication methods are disabled
+for root.
.It Cm PidFile
Specifies the file that contains the process identifier of the
.Nm