On Wed, 15 Dec 1999, Andrew L . Davis wrote:
> On Wed, Dec 15, 1999 at 10:56:50PM +0000, Dorian Moore wrote:
> > Is there an (easy:) way to change the prompt returned if you have
> > PermitRootLogin no
> > in
> > /etc/ssh/sshd_config (ssh1.2.27)
> > and you slogin with the correct password. At the moment I get
> > Permission denied.
> > If I get the password wrong, but
> > ROOT LOGIN REFUSED FROM *.*
> > if I get the password right....
> >
> > which basically mean someone could get a positive response from a
> > password cracker (I know, the root password shouldn't be that insecure,
> > but IMHO the program shouldn't return that verbose a message (or it
> > should be configurable) in that instance)
>
> Yes, just apply this patch and/or edit the code yourself
Note that this patch just changes the text that the server returns. It might confuse
one or two script kiddies, but it will not protect you against an attacker that knows
what he's doing. That is because the error 'Permission denied' is produced by the
client, and an attacker that can hack his client can easily change that text to
something that looks different from the error message you produce in the server.
Other clients than the one bundled with ssh probably has other error messages. The
graphical clients pops up a message box for failed logins, but shows your error
message in the terminal window (or just crashes, as F-Secure 1.1 for Windows does).
A better patch would change the authentication code where the root password is checked
so that it always fails, instead of changing the error message. But that might be
tricker to do, or Tatu would probably have done it like that in the first place.
Amanda.
