Hi Amanda,
The patch andrew posted was to sshd.c which I thought was the main
source for the deamon, and I presume what sends the response out. I'm
not so worried about what the client does, but what the daemon responds.
as I said IMHO the login daemon shouldn't give an indication wether the
attempt was valid or not if that type of connection if not permitted (IE
if PermitRootLogin no is set then the code should not even try to
authenticate the password), but maybe I misunderstand the way the code
is written (I'm not a C programmer).
I hope this clears up what I was asking --> maybe somethign to think
about in future revisions?
Laters
d.
amanda wrote:
>
> On Wed, 15 Dec 1999, Andrew L . Davis wrote:
>
> > On Wed, Dec 15, 1999 at 10:56:50PM +0000, Dorian Moore wrote:
> > > Is there an (easy:) way to change the prompt returned if you have
> > > PermitRootLogin no
> > > in
> > > /etc/ssh/sshd_config (ssh1.2.27)
> > > and you slogin with the correct password. At the moment I get
> > > Permission denied.
> > > If I get the password wrong, but
> > > ROOT LOGIN REFUSED FROM *.*
> > > if I get the password right....
> > >
> > > which basically mean someone could get a positive response from a
> > > password cracker (I know, the root password shouldn't be that insecure,
> > > but IMHO the program shouldn't return that verbose a message (or it
> > > should be configurable) in that instance)
> >
> > Yes, just apply this patch and/or edit the code yourself
>
> Note that this patch just changes the text that the server returns. It might confuse
>one or two script kiddies, but it will not protect you against an attacker that knows
>what he's doing. That is because the error 'Permission denied' is produced by the
>client, and an attacker that can hack his client can easily change that text to
>something that looks different from the error message you produce in the server.
>
> Other clients than the one bundled with ssh probably has other error messages. The
>graphical clients pops up a message box for failed logins, but shows your error
>message in the terminal window (or just crashes, as F-Secure 1.1 for Windows does).
>
> A better patch would change the authentication code where the root password is
>checked so that it always fails, instead of changing the error message. But that
>might be tricker to do, or Tatu would probably have done it like that in the first
>place.
>
> Amanda.
--
Techie wanted, apply within : http://www.kleber.net/job.html
Dorian Moore is property of Kleber Design Ltd. If found please contact Kleber
by phone on +44 207 581 1362 or visit http://www.kleber.net for further details.
You really shouldn't listen to anything he says... as it may just be an opinion
