On Fri, 17 Dec 1999, Dorian Moore wrote:
> Hi Amanda,
>
> The patch andrew posted was to sshd.c which I thought was the main
> source for the deamon, and I presume what sends the response out. I'm
> not so worried about what the client does, but what the daemon responds.
> as I said IMHO the login daemon shouldn't give an indication wether the
> attempt was valid or not if that type of connection if not permitted (IE
> if PermitRootLogin no is set then the code should not even try to
> authenticate the password), but maybe I misunderstand the way the code
> is written (I'm not a C programmer).
>
> I hope this clears up what I was asking --> maybe somethign to think
> about in future revisions?
On Fri, 17 Dec 1999, Andrew L . Davis wrote:
> On Fri, Dec 17, 1999 at 09:52:17AM +0000, amanda wrote:
> > > On Wed, Dec 15, 1999 at 10:56:50PM +0000, Dorian Moore wrote:
> > > > Is there an (easy:) way to change the prompt returned if you have
> > > > PermitRootLogin no
> > > > in
> > > > /etc/ssh/sshd_config (ssh1.2.27)
> > > > and you slogin with the correct password. At the moment I get
> > > > Permission denied.
> > > > If I get the password wrong, but
> > > > ROOT LOGIN REFUSED FROM *.*
> > > > if I get the password right....
> >
> > Note that this patch just changes the text that the server returns.
> > It might confuse one or two script kiddies, but it will not protect
> > you against an attacker that knows what he's doing. That is because
> > the error 'Permission denied' is produced by the client, and an
> > attacker that can hack his client can easily change that text to
> > something that looks different from the error message you produce in
> > the server.
>
> This is not true, I just tested the code myself on a vanilla 1.2.27 ssh client
> and I got the altered message from the patch sshd daemon.
>
Obviously I didn't make myself clear. Here is how you beat this patch:
edit sshconnect.c and change the message "Permission denied" to something else (like
"Client got permission denied") and recompile ssh. Then connect to a server with the
previous patch. Now you will see a distinction between denied permissions on the
server and denied permissions on the client. One of the failure messages means that
you typed the wrong password for root, and the other failure message means that you
typed the right root password but the server didn't allow root password authentication.
Amanda.
