PermitRootLogin and Tru64 SIA

I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA,
the root login attempts still get passed to the SIA system (so I get
lots of warnings about failed root logins). On systems with a "max
failed attempts" setting, the root account can be locked out this way.
I started looking at the code, and I'm not sure I understand what I see.

In auth-passwd.c, function auth_password checks permit_root_login, but
it doesn't stop if it fails. It goes on and calls the authentication
function (sys_auth_passwd from auth-sia.c for SIA) but still returns
failure. Why?

Should I just modify auth-sia.c sys_auth_passwd() to check the
permit_root_login option and fail without calling the SIA functions?
Here's a patch that does that:

diff -urN openssh-dist/auth-sia.c openssh/auth-sia.c
--- openssh-dist/auth-sia.c Thu Mar 4 05:59:37 2004
+++ openssh/auth-sia.c Thu Apr 7 07:52:13 2005
@@ -53,6 +53,9 @@
SIAENTITY *ent = NULL;
const char *host;

+ if (! auth_root_allowed ("password"))
+ return (0);
+
host = get_canonical_hostname(options.use_dns);

if (!authctxt->user || pass == NULL || pass[0] == '\0')

--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev