disallow guessing of root password

diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index dd57e81..248177c 100644 (file)
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.90 2000/03/06 20:29:04 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.91 2000/03/09 19:31:47 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -1244,14 +1244,6 @@ do_authentication()
                do_authloop(pw);
        }
 
-       /* Check if the user is logging in as root and root logins are disallowed. */
-       if (pw->pw_uid == 0 && !options.permit_root_login) {
-               if (forced_command)
-                       log("Root login accepted for forced command.");
-               else
-                       packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
-                                         get_canonical_hostname());
-       }
        /* The user has been authenticated and accepted. */
        packet_start(SSH_SMSG_SUCCESS);
        packet_send();
@@ -1489,6 +1481,21 @@ do_authloop(struct passwd * pw)
                        break;
                }
 
+               /*
+                * Check if the user is logging in as root and root logins
+                * are disallowed.
+                * Note that root login is allowed for forced commands.
+                */
+               if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) {
+                       if (forced_command) {
+                               log("Root login accepted for forced command.");
+                       } else {
+                               authenticated = 0;
+                               log("ROOT LOGIN REFUSED FROM %.200s",
+                                   get_canonical_hostname());
+                       }
+               }
+
                /* Raise logging level */
                if (authenticated ||
                    attempt == AUTH_FAIL_LOG ||