From 02491e9632dc03c8aa75a9d406ff98445aa28786 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 11 Mar 2000 11:58:28 +1100 Subject: [PATCH] - OpenBSD CVS change [sshd.c] - disallow guessing of root password --- ChangeLog | 3 +++ sshd.c | 25 ++++++++++++++++--------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index b0ede8c1e..1dc77d453 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 20000311 - Detect RSAref + - OpenBSD CVS change + [sshd.c] + - disallow guessing of root password 20000309 - OpenBSD CVS updates to v1.2.3 diff --git a/sshd.c b/sshd.c index 829c0a712..5062d3761 100644 --- a/sshd.c +++ b/sshd.c @@ -11,7 +11,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.90 2000/03/06 20:29:04 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.91 2000/03/09 19:31:47 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -1275,14 +1275,6 @@ do_authentication() do_authloop(pw); } - /* Check if the user is logging in as root and root logins are disallowed. */ - if (pw->pw_uid == 0 && !options.permit_root_login) { - if (forced_command) - log("Root login accepted for forced command."); - else - packet_disconnect("ROOT LOGIN REFUSED FROM %.200s", - get_canonical_hostname()); - } /* The user has been authenticated and accepted. */ #ifdef WITH_AIXAUTHENTICATE loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); @@ -1525,6 +1517,21 @@ do_authloop(struct passwd * pw) break; } + /* + * Check if the user is logging in as root and root logins + * are disallowed. + * Note that root login is allowed for forced commands. + */ + if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) { + if (forced_command) { + log("Root login accepted for forced command."); + } else { + authenticated = 0; + log("ROOT LOGIN REFUSED FROM %.200s", + get_canonical_hostname()); + } + } + /* Raise logging level */ if (authenticated || attempt == AUTH_FAIL_LOG ||