summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-03-11 11:58:28 +1100
committerDamien Miller <djm@mindrot.org>2000-03-11 11:58:28 +1100
commit02491e9632dc03c8aa75a9d406ff98445aa28786 (patch)
tree3c4290b414a343fc403948d2d8f73ff8257762ec
parenteedc0ca23e06fa5a342d531db395badaf783bbd7 (diff)
- OpenBSD CVS changeV_1_2_3_PRE1
[sshd.c] - disallow guessing of root password
-rw-r--r--ChangeLog3
-rw-r--r--sshd.c25
2 files changed, 19 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index b0ede8c1..1dc77d45 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
20000311
- Detect RSAref
+ - OpenBSD CVS change
+ [sshd.c]
+ - disallow guessing of root password
20000309
- OpenBSD CVS updates to v1.2.3
diff --git a/sshd.c b/sshd.c
index 829c0a71..5062d376 100644
--- a/sshd.c
+++ b/sshd.c
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.90 2000/03/06 20:29:04 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.91 2000/03/09 19:31:47 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -1275,14 +1275,6 @@ do_authentication()
do_authloop(pw);
}
- /* Check if the user is logging in as root and root logins are disallowed. */
- if (pw->pw_uid == 0 && !options.permit_root_login) {
- if (forced_command)
- log("Root login accepted for forced command.");
- else
- packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
- get_canonical_hostname());
- }
/* The user has been authenticated and accepted. */
#ifdef WITH_AIXAUTHENTICATE
loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
@@ -1525,6 +1517,21 @@ do_authloop(struct passwd * pw)
break;
}
+ /*
+ * Check if the user is logging in as root and root logins
+ * are disallowed.
+ * Note that root login is allowed for forced commands.
+ */
+ if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) {
+ if (forced_command) {
+ log("Root login accepted for forced command.");
+ } else {
+ authenticated = 0;
+ log("ROOT LOGIN REFUSED FROM %.200s",
+ get_canonical_hostname());
+ }
+ }
+
/* Raise logging level */
if (authenticated ||
attempt == AUTH_FAIL_LOG ||