- OpenBSD CVS change

[sshd.c] - disallow guessing of root password
2000-03-11 11:58:28 +11:00 · 2000-03-11 11:58:28 +11:00 · 02491e9632
parent eedc0ca23e
commit 02491e9632
2 changed files with 19 additions and 9 deletions
--- a/3
+++ b/3
@ -1,5 +1,8 @@
 20000311
 - Detect RSAref
+ - OpenBSD CVS change
+   [sshd.c]
+    - disallow guessing of root password

 20000309
 - OpenBSD CVS updates to v1.2.3
--- a/sshd.c
+++ b/sshd.c
@ -11,7 +11,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.90 2000/03/06 20:29:04 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.91 2000/03/09 19:31:47 markus Exp $");

 #include "xmalloc.h"
 #include "rsa.h"
@ -1275,14 +1275,6 @@ do_authentication()
 		do_authloop(pw);
 	}

-	/* Check if the user is logging in as root and root logins are disallowed. */
-	if (pw->pw_uid == 0 && !options.permit_root_login) {
-		if (forced_command)
-			log("Root login accepted for forced command.");
-		else
-			packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
-					  get_canonical_hostname());
-	}
 	/* The user has been authenticated and accepted. */
 #ifdef WITH_AIXAUTHENTICATE
 	loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
@ -1525,6 +1517,21 @@ do_authloop(struct passwd * pw)
 			break;
 		}

+		/*
+		 * Check if the user is logging in as root and root logins
+		 * are disallowed.
+		 * Note that root login is allowed for forced commands.
+		 */
+		if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) {
+			if (forced_command) {
+				log("Root login accepted for forced command.");
+			} else {
+				authenticated = 0;
+				log("ROOT LOGIN REFUSED FROM %.200s",
+				    get_canonical_hostname());
+			}
+		}
+
 		/* Raise logging level */
 		if (authenticated ||
 		    attempt == AUTH_FAIL_LOG ||