I'm not sure how useful this will be to you guys, but for me I'll be using
the following patch for a machine that runs a radius server and as such
needs a /etc/shadow or nis passwords available to it, but without letting
anyone log into the machine (except for root).
Perhaps there was another way to do this? This approach seems pretty good
though.
By specifying 'PermitRootLogin only' in the /etc/ssh2/ssh2_config file,
only root logins are permitted. All other accounts get rejected.
'patch -p0 < ssh-root-only-patch' to apply. This is against 2.0.13.
--
diff -r -c ssh-2.0.13/apps/ssh/auths-passwd.c
ssh-2.0.13-root-only-patch/apps/ssh/auths-passwd.c
*** ssh-2.0.13/apps/ssh/auths-passwd.c Tue May 11 04:34:45 1999
--- ssh-2.0.13-root-only-patch/apps/ssh/auths-passwd.c Mon Mar 6 22:46:47 2000
***************
*** 87,92 ****
--- 87,103 ----
}
}
+ if (ssh_user_uid(uc) != SSH_UID_ROOT &&
+ config->permit_root_login == SSH_ROOTLOGIN_ONLY)
+ {
+ ssh_log_event(config->log_facility,
+ SSH_LOG_WARNING,
+ "only root logins are permitted!");
+
+ SSH_DEBUG(2, ("ssh_server_auth_passwd: only root logins are
+permitted."));
+ return SSH_AUTH_SERVER_REJECTED_AND_METHOD_DISABLED;
+ }
+
/* Parse the password authentication request. */
if (ssh_decode_buffer(packet,
SSH_FORMAT_BOOLEAN, &change_request,
diff -r -c ssh-2.0.13/apps/ssh/sshconfig.c
ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.c
*** ssh-2.0.13/apps/ssh/sshconfig.c Tue May 11 04:34:45 1999
--- ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.c Mon Mar 6 22:35:16 2000
***************
*** 990,995 ****
--- 990,998 ----
{
if (strcmp(val, "nopwd") == 0)
config->permit_root_login = SSH_ROOTLOGIN_NOPWD;
+ else
+ if (strcmp(val, "only") == 0)
+ config->permit_root_login = SSH_ROOTLOGIN_ONLY;
else
config->permit_root_login = bool;
diff -r -c ssh-2.0.13/apps/ssh/sshconfig.h
ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.h
*** ssh-2.0.13/apps/ssh/sshconfig.h Wed Apr 28 01:48:57 1999
--- ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.h Mon Mar 6 22:31:41 2000
***************
*** 58,64 ****
/* Allow root login's. */
SSH_ROOTLOGIN_TRUE = 1,
/* Don't allow if using password authentication. */
! SSH_ROOTLOGIN_NOPWD = 2
} SshPermitRootLogin;
/* Data type for SSH server configuration data. */
--- 58,66 ----
/* Allow root login's. */
SSH_ROOTLOGIN_TRUE = 1,
/* Don't allow if using password authentication. */
! SSH_ROOTLOGIN_NOPWD = 2,
! /* Only allow root logins */
! SSH_ROOTLOGIN_ONLY = 3
} SshPermitRootLogin;
/* Data type for SSH server configuration data. */
diff -r -c ssh-2.0.13/apps/ssh/sshd2.8 ssh-2.0.13-root-only-patch/apps/ssh/sshd2.8
*** ssh-2.0.13/apps/ssh/sshd2.8 Thu Apr 29 10:18:22 1999
--- ssh-2.0.13-root-only-patch/apps/ssh/sshd2.8 Mon Mar 6 22:56:59 2000
***************
*** 386,396 ****
.B PermitRootLogin
Specifies whether the root can log in using
.BR ssh2 .
! May be set to "\fByes\fR", "\fBnopwd\fR", or "\fBno\fR". The default
is "\fByes\fR", allowing root logins through any of the authentication
types allowed for other users. The "\fBnopwd\fR" value disables
password-authenticated root logins. The "\fBno\fR" value disables
! root logins through any of the authentication methods. ("\fBnopwd\fR"
and "\fBno\fR" are equivalent unless you have a .rhosts or .shosts in
the root home directory and you you haven't set up public key
authentication for root.)
--- 386,397 ----
.B PermitRootLogin
Specifies whether the root can log in using
.BR ssh2 .
! May be set to "\fByes\fR", "\fBnopwd\fR", "\fBonly\fR", or "\fBno\fR". The default
is "\fByes\fR", allowing root logins through any of the authentication
types allowed for other users. The "\fBnopwd\fR" value disables
password-authenticated root logins. The "\fBno\fR" value disables
! root logins through any of the authentication methods. The "\fBonly\fR" value
! allows just root logins. ("\fBnopwd\fR"
and "\fBno\fR" are equivalent unless you have a .rhosts or .shosts in
the root home directory and you you haven't set up public key
authentication for root.)
Only in ssh-2.0.13-root-only-patch: include
diff -r -c ssh-2.0.13/apps/ssh/auths-passwd.c
ssh-2.0.13-root-only-patch/apps/ssh/auths-passwd.c
*** ssh-2.0.13/apps/ssh/auths-passwd.c Tue May 11 04:34:45 1999
--- ssh-2.0.13-root-only-patch/apps/ssh/auths-passwd.c Mon Mar 6 22:46:47 2000
***************
*** 87,92 ****
--- 87,103 ----
}
}
+ if (ssh_user_uid(uc) != SSH_UID_ROOT &&
+ config->permit_root_login == SSH_ROOTLOGIN_ONLY)
+ {
+ ssh_log_event(config->log_facility,
+ SSH_LOG_WARNING,
+ "only root logins are permitted!");
+
+ SSH_DEBUG(2, ("ssh_server_auth_passwd: only root logins are
+permitted."));
+ return SSH_AUTH_SERVER_REJECTED_AND_METHOD_DISABLED;
+ }
+
/* Parse the password authentication request. */
if (ssh_decode_buffer(packet,
SSH_FORMAT_BOOLEAN, &change_request,
diff -r -c ssh-2.0.13/apps/ssh/sshconfig.c
ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.c
*** ssh-2.0.13/apps/ssh/sshconfig.c Tue May 11 04:34:45 1999
--- ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.c Mon Mar 6 22:35:16 2000
***************
*** 990,995 ****
--- 990,998 ----
{
if (strcmp(val, "nopwd") == 0)
config->permit_root_login = SSH_ROOTLOGIN_NOPWD;
+ else
+ if (strcmp(val, "only") == 0)
+ config->permit_root_login = SSH_ROOTLOGIN_ONLY;
else
config->permit_root_login = bool;
diff -r -c ssh-2.0.13/apps/ssh/sshconfig.h
ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.h
*** ssh-2.0.13/apps/ssh/sshconfig.h Wed Apr 28 01:48:57 1999
--- ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.h Mon Mar 6 22:31:41 2000
***************
*** 58,64 ****
/* Allow root login's. */
SSH_ROOTLOGIN_TRUE = 1,
/* Don't allow if using password authentication. */
! SSH_ROOTLOGIN_NOPWD = 2
} SshPermitRootLogin;
/* Data type for SSH server configuration data. */
--- 58,66 ----
/* Allow root login's. */
SSH_ROOTLOGIN_TRUE = 1,
/* Don't allow if using password authentication. */
! SSH_ROOTLOGIN_NOPWD = 2,
! /* Only allow root logins */
! SSH_ROOTLOGIN_ONLY = 3
} SshPermitRootLogin;
/* Data type for SSH server configuration data. */
diff -r -c ssh-2.0.13/apps/ssh/sshd2.8 ssh-2.0.13-root-only-patch/apps/ssh/sshd2.8
*** ssh-2.0.13/apps/ssh/sshd2.8 Thu Apr 29 10:18:22 1999
--- ssh-2.0.13-root-only-patch/apps/ssh/sshd2.8 Mon Mar 6 22:56:59 2000
***************
*** 386,396 ****
.B PermitRootLogin
Specifies whether the root can log in using
.BR ssh2 .
! May be set to "\fByes\fR", "\fBnopwd\fR", or "\fBno\fR". The default
is "\fByes\fR", allowing root logins through any of the authentication
types allowed for other users. The "\fBnopwd\fR" value disables
password-authenticated root logins. The "\fBno\fR" value disables
! root logins through any of the authentication methods. ("\fBnopwd\fR"
and "\fBno\fR" are equivalent unless you have a .rhosts or .shosts in
the root home directory and you you haven't set up public key
authentication for root.)
--- 386,397 ----
.B PermitRootLogin
Specifies whether the root can log in using
.BR ssh2 .
! May be set to "\fByes\fR", "\fBnopwd\fR", "\fBonly\fR", or "\fBno\fR". The default
is "\fByes\fR", allowing root logins through any of the authentication
types allowed for other users. The "\fBnopwd\fR" value disables
password-authenticated root logins. The "\fBno\fR" value disables
! root logins through any of the authentication methods. The "\fBonly\fR" value
! allows just root logins. ("\fBnopwd\fR"
and "\fBno\fR" are equivalent unless you have a .rhosts or .shosts in
the root home directory and you you haven't set up public key
authentication for root.)
Only in ssh-2.0.13-root-only-patch: include
