[j-nsp] root-login via ssh and 11.x

Wayne Tucker wayne at tuckerlabs.com
Tue Jun 26 14:28:04 EDT 2012 

On Tue, Jun 26, 2012 at 8:32 AM, Nick Kritsky <nick.kritsky at gmail.com>wrote:

> To all:
> sorry for misinformation. It looks like change in root authentication
> behavior was caused not by JunOS upgrade, but by change from
> "system authentication-order [ tacplus password ]"
> to
> "system authentication-order tacplus"
>
> I have to be more careful.
> Still, I can't understand the logic behind this.
> "system authentication-order [ tacplus password ]" == root can login
> "system authentication-order tacplus" == root cannot login
> "system authentication-order tacplus" + "system services ssh
> root-login allow" == root can login
>

That is interesting.  The root-login option causes the PermitRootLogin in
the OpenSSH sshd config (/var/etc/sshd_config) to be changed (not set = not
set; allow = yes, deny-password = without-password, deny = no).

The authentication-order command causes /etc/pam.conf to be changed.
 Here's what it looks like with [ tacplus password ] on a 10.4 box in my
lab:

su auth sufficient pam_rootok.so no_warn
su auth sufficient pam_self.so   no_warn
su auth requisite  pam_group.so  no_warn group=wheel fail_safe root_only
su auth required   pam_unix.so   try_first_pass
login   auth    sufficient      pam_tacplus.so
conf=/var/etc/pam_tacplus.conf template_user=remote      try_first_pass
no_warn
login   auth    required        pam_unix.so     try_first_pass no_warn
login   session required        pam_permit.so
login   account required        pam_unix.so

With the password option removed, the third line changes to:

login   auth    required        pam_unix.so     local_fallback no_warn

With authentication-order not set the tacplus lines go away and the login
line instead reads:

login   auth    required        pam_unix.so

I can't find anything in the PAM documentation about local_fallback so I'm
guessing that's a Juniper extension.

The best hypothesis I've been able to come up with so far is that the
PermitRootLogin yes option allows sshd to authenticate root through some
other mechanism, though even that doesn't seem to fit all of the facts.

:w

More information about the juniper-nsp mailing list