Your message dated Thu, 3 Feb 2005 18:12:24 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Debian bug #271822: fixed upstream
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Sep 2004 13:58:21 +0000
>From [EMAIL PROTECTED] Wed Sep 15 06:58:21 2004
Return-path: <[EMAIL PROTECTED]>
Received: from ns1.kidns.de (diana50.kidns.de) [62.75.128.97] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C7aIf-0001Gl-00; Wed, 15 Sep 2004 06:58:21 -0700
Received: from pd9e9dbb4.dip0.t-ipconnect.de
([217.233.219.180] helo=resivo.mejo.net ident=Debian-exim)
by diana50.kidns.de with asmtp (TLS-1.0:RSA_ARCFOUR_SHA:16)
(Exim 4.34)
id 1C7aIS-0007Fz-Ch; Wed, 15 Sep 2004 15:58:08 +0200
Received: from jonas by resivo.mejo.net with local (Exim 4.34)
id 1C7aIb-0001gU-VA; Wed, 15 Sep 2004 15:58:18 +0200
Date: Wed, 15 Sep 2004 15:58:17 +0200
From: Jonas Meurer <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: PermitRootLogin without-password actually does the same as
PermitRootLogin yes
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 2.64
User-Agent: Mutt/1.5.6+20040818i
Sender: jonas <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 217.233.219.180
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on diana50.kidns.de); SAEximRunCond expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: ssh
Version: 1:3.8.1p1-8
Severity: grave
hello,
after i tested it on two differnent boxes, one with up-to-date sarge,
and one with up-to-date sid, i'm quite confident, that the
PermitRootLogin option at sshd_config doesn't understand the
without-password value.
after i changed PermitRootLogin from 'yes' to 'without-password', i was
still able to login from a remote box without any key, and with typing
the root password, not the key passphrase.
i tag this bug as grave, as this is a dangerous security hole. i don't
know how long this appears, but many users may use the feature without
any apprehension that this may open the ssh root account for more
people.
bye
jonas
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-i386
Locale: LANG=en_GB.UTF-8, [EMAIL PROTECTED]
Versions of packages ssh depends on:
ii adduser 3.59 Add and remove users and groups
ii debconf 1.4.36 Debian configuration management sy
ii dpkg 1.10.23 Package maintenance system for Deb
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7d-5 SSL shared libraries
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1.2-1 compression library - runtime
-- debconf information:
ssh/insecure_rshd:
ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
ssh/ssh2_keys_merged:
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
---------------------------------------
Received: (at 271822-done) by bugs.debian.org; 3 Feb 2005 17:12:18 +0000
>From [EMAIL PROTECTED] Thu Feb 03 09:12:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from ns2.kidns.de (diana50.kidns.de) [62.75.133.58] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CwkWg-0002vt-00; Thu, 03 Feb 2005 09:12:18 -0800
Received: from pd9e9c2f1.dip0.t-ipconnect.de ([217.233.194.241]
helo=resivo.mejo.net)
by diana50.kidns.de with asmtp (TLS-1.0:RSA_AES_128_CBC_SHA:16)
(Exim 4.34)
id 1CwkWP-0006Jv-7j; Thu, 03 Feb 2005 18:12:05 +0100
Received: from jonas by resivo.mejo.net with local (Exim 4.44)
id 1CwkWm-0000wq-Em; Thu, 03 Feb 2005 18:12:24 +0100
Date: Thu, 3 Feb 2005 18:12:24 +0100
From: Jonas Meurer <[EMAIL PROTECTED]>
To: Darren Tucker <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.6+20040907i
X-SA-Exim-Connect-IP: 217.233.194.241
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
Subject: Re: Debian bug #271822: fixed upstream
Content-Type: text/plain; charset=us-ascii
X-SA-Exim-Version: 4.1 (built Tue, 17 Aug 2004 11:06:07 +0200)
X-SA-Exim-Scanned: Yes (on diana50.kidns.de)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
On 27/01/2005 Darren Tucker wrote:
> Hi.
> The aforementioned Debian bug has been fixed upstream (and, I
> believe, it Debian too since the upstream patch is partially based on
> one
> from Colin Watson).
>
> http://bugzilla.mindrot.org/show_bug.cgi?id=971
thanks a lot, you're correct.
therefore, i closed the bug.
bye
jonas
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
