Is there a way to alter this patch so that instead ONLY ROOT i can change the user
name ?
say ONLY $USERNAME ? or maybe just a list of users ?
or is there something in ssh that can deny some users and permit others to remotlly
log in ?
Thank you.
Laszlo Vecsey wrote:
> I'm not sure how useful this will be to you guys, but for me I'll be using
> the following patch for a machine that runs a radius server and as such
> needs a /etc/shadow or nis passwords available to it, but without letting
> anyone log into the machine (except for root).
>
> Perhaps there was another way to do this? This approach seems pretty good
> though.
>
> By specifying 'PermitRootLogin only' in the /etc/ssh2/ssh2_config file,
> only root logins are permitted. All other accounts get rejected.
>
> 'patch -p0 < ssh-root-only-patch' to apply. This is against 2.0.13.
>
> --
> diff -r -c ssh-2.0.13/apps/ssh/auths-passwd.c
>ssh-2.0.13-root-only-patch/apps/ssh/auths-passwd.c
> *** ssh-2.0.13/apps/ssh/auths-passwd.c Tue May 11 04:34:45 1999
> --- ssh-2.0.13-root-only-patch/apps/ssh/auths-passwd.c Mon Mar 6 22:46:47 2000
> ***************
> *** 87,92 ****
> --- 87,103 ----
> }
> }
>
> + if (ssh_user_uid(uc) != SSH_UID_ROOT &&
> + config->permit_root_login == SSH_ROOTLOGIN_ONLY)
> + {
> + ssh_log_event(config->log_facility,
> + SSH_LOG_WARNING,
> + "only root logins are permitted!");
> +
> + SSH_DEBUG(2, ("ssh_server_auth_passwd: only root logins are
>permitted."));
> + return SSH_AUTH_SERVER_REJECTED_AND_METHOD_DISABLED;
> + }
> +
> /* Parse the password authentication request. */
> if (ssh_decode_buffer(packet,
> SSH_FORMAT_BOOLEAN, &change_request,
> diff -r -c ssh-2.0.13/apps/ssh/sshconfig.c
>ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.c
> *** ssh-2.0.13/apps/ssh/sshconfig.c Tue May 11 04:34:45 1999
> --- ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.c Mon Mar 6 22:35:16 2000
> ***************
> *** 990,995 ****
> --- 990,998 ----
> {
> if (strcmp(val, "nopwd") == 0)
> config->permit_root_login = SSH_ROOTLOGIN_NOPWD;
> + else
> + if (strcmp(val, "only") == 0)
> + config->permit_root_login = SSH_ROOTLOGIN_ONLY;
> else
> config->permit_root_login = bool;
>
> diff -r -c ssh-2.0.13/apps/ssh/sshconfig.h
>ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.h
> *** ssh-2.0.13/apps/ssh/sshconfig.h Wed Apr 28 01:48:57 1999
> --- ssh-2.0.13-root-only-patch/apps/ssh/sshconfig.h Mon Mar 6 22:31:41 2000
> ***************
> *** 58,64 ****
> /* Allow root login's. */
> SSH_ROOTLOGIN_TRUE = 1,
> /* Don't allow if using password authentication. */
> ! SSH_ROOTLOGIN_NOPWD = 2
> } SshPermitRootLogin;
>
> /* Data type for SSH server configuration data. */
> --- 58,66 ----
> /* Allow root login's. */
> SSH_ROOTLOGIN_TRUE = 1,
> /* Don't allow if using password authentication. */
> ! SSH_ROOTLOGIN_NOPWD = 2,
> ! /* Only allow root logins */
> ! SSH_ROOTLOGIN_ONLY = 3
> } SshPermitRootLogin;
>
> /* Data type for SSH server configuration data. */
> diff -r -c ssh-2.0.13/apps/ssh/sshd2.8 ssh-2.0.13-root-only-patch/apps/ssh/sshd2.8
> *** ssh-2.0.13/apps/ssh/sshd2.8 Thu Apr 29 10:18:22 1999
> --- ssh-2.0.13-root-only-patch/apps/ssh/sshd2.8 Mon Mar 6 22:56:59 2000
> ***************
> *** 386,396 ****
> .B PermitRootLogin
> Specifies whether the root can log in using
> .BR ssh2 .
> ! May be set to "\fByes\fR", "\fBnopwd\fR", or "\fBno\fR". The default
> is "\fByes\fR", allowing root logins through any of the authentication
> types allowed for other users. The "\fBnopwd\fR" value disables
> password-authenticated root logins. The "\fBno\fR" value disables
> ! root logins through any of the authentication methods. ("\fBnopwd\fR"
> and "\fBno\fR" are equivalent unless you have a .rhosts or .shosts in
> the root home directory and you you haven't set up public key
> authentication for root.)
> --- 386,397 ----
> .B PermitRootLogin
> Specifies whether the root can log in using
> .BR ssh2 .
> ! May be set to "\fByes\fR", "\fBnopwd\fR", "\fBonly\fR", or "\fBno\fR". The default
> is "\fByes\fR", allowing root logins through any of the authentication
> types allowed for other users. The "\fBnopwd\fR" value disables
> password-authenticated root logins. The "\fBno\fR" value disables
> ! root logins through any of the authentication methods. The "\fBonly\fR" value
> ! allows just root logins. ("\fBnopwd\fR"
> and "\fBno\fR" are equivalent unless you have a .rhosts or .shosts in
> the root home directory and you you haven't set up public key
> authentication for root.)
> Only in ssh-2.0.13-root-only-patch: include
>
> ------------------------------------------------------------------------
> Name: ssh-root-only-patch
> ssh-root-only-patch Type: Plain Text (TEXT/PLAIN)
> Encoding: BASE64
