Bug 169678 - "PermitRootLogin no" fails to prevent scp logins
"PermitRootLogin no" fails to prevent scp logins
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
4.0
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-30 19:33 EDT by Colin Walters
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-04 07:16:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Colin Walters 2005-09-30 19:33:22 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
Hi,

I did a stock RHEL4 AS install, and added "PermitRootLogin no" to the end of /etc/ssh/sshd_config.  As expected, "ssh root@hostname" was denied.  However, "scp  /path/to/file root@hostname" was still allowed!  

I had to add "DenyUsers root" as well to prevent scp from working.  

At best, "PermitRootLogin no" needs a massive warning around it.  The sshd_config man page doesn't say much about it, nor does the config file have any comment.
At worst, this is a security issue that I bet a number of admins have and don't know it...

Marking this bug as security priority for safety, if you disagree feel free to downgrade of course, but hopefully we'll get a warning somewhere.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install openssh
2. Add PermitRootLogin no
  

Actual Results:  scp access was allowed

Expected Results:  scp access should be disallowed

Additional info:
Comment 1 Tomas Mraz 2005-10-04 07:16:58 EDT
"scp /path/to/file root@hostname" is roughly identical to
"cp /path/to/file root@hostname"

You forgot to put ':' after the hostname. The scp uses ssh to connect to the
remote machine so the "PermitRootLogin no" setting must apply to it too.
Comment 2 Colin Walters 2005-10-04 11:06:13 EDT
Hi, I do forget to add the colon suffix sometimes, but when that occurs, I
always immediately realize my mistake when I don't see the expected remote copy
progress output.

I didn't add the trailing : in my bug report because I wasn't pasting actual
commands, the quotes were misleading there.

I think what happened was that at some point during my testing sshd didn't
restart correctly and didn't pick up the updated configuration.  I do see output
in the system logs about it failing to bind to port 22 when I execute "service
sshd restart" sometimes. 

Anyways, more extensive testing has convinced me that PermitRootLogin no does
appear to prevent scp logins, so my apologies for taking up your time with the bug.
Comment 3 Tomas Mraz 2005-10-04 11:16:33 EDT
> I do see output in the system logs about it failing to bind to port 22 when I 
> execute "service sshd restart" sometimes. 

This is bug 120302 and it should be harmless.

Note You need to log in before you can comment on or make changes to this bug.