Mark Hedges <[email protected]> writes: > It seems like, if PermitRootLogin is set to no, authentication requests > should never be passed to PAM at all once the 'root' username is sent.
It turns out that you don't want to do that (or at least that's the prevailing security wisdom) because it creates a timing difference that the attacker can use to detect the PermitRootLogin setting. ssh intentionally runs all attempts through the PAM stack but then always rejects them regardless of the outcome of the PAM authentication so that the timing is the same as any other login and the attacker can't tell why they're failing. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
