So it appears that I am getting a keyboard-interactive prompt and then a password prompt. Here is the output of the requested command: ssh -vvv -o NumberOfPasswordPrompts=1 -t root@10.10.2.51 OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /cygdrive/c/progra~1/OpenSSH/etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 10.10.2.51 [10.10.2.51] port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7 debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "10.10.2.51" from file "/.ssh/kn own_hosts" debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01@xxxxxxxxxxx, ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh- sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hel lman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-ed25519,ecdsa-sh a2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa- sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01 @openssh.com,ssh-rsa-cert-v00@xxxxxxxxxxx,ssh-dss-cert-v00@xxxxxxxxxxx,ecdsa-sha 2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.c om,aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx,arcfour256,arcfour128,ae s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae l-cbc@xxxxxxxxxxxxxx debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.c om,aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx,arcfour256,arcfour128,ae s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae l-cbc@xxxxxxxxxxxxxx debug2: kex_parse_kexinit: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac -sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxx m,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1 ,hmac-md5-etm@xxxxxxxxxxx,hmac-ripemd160-etm@xxxxxxxxxxx,hmac-sha1-96-etm@openss h.com,hmac-md5-96-etm@xxxxxxxxxxx,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh .com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac -sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxx m,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1 ,hmac-md5-etm@xxxxxxxxxxx,hmac-ripemd160-etm@xxxxxxxxxxx,hmac-sha1-96-etm@openss h.com,hmac-md5-96-etm@xxxxxxxxxxx,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh .com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exc hange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-sha1 debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: mac_setup: setup hmac-sha1 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 17:99:91:c2:9d:f4:9a:6c:b3:ab:50:c5:e8:eb:a3:70 debug3: load_hostkeys: loading entries for host "10.10.2.51" from file "/.ssh/kn own_hosts" debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug1: Host '10.10.2.51' is known and matches the ED25519 host key. debug1: Found key in /.ssh/known_hosts:1 debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /.ssh/id_rsa (0x0), debug2: key: /.ssh/id_dsa (0x0), debug2: key: /.ssh/id_ecdsa (0x0), debug2: key: /.ssh/id_ed25519 (0x0), debug3: input_userauth_banner You are accessing a U.S. Government (USG) Information System (IS) that is provid ed for USG-authorized use only. By using this IS (which includes any device atta ched to this IS), you consent to the following conditions: - The USG routinely intercepts and monitors communications on this IS for purpos es including, but not limited to, penetration testing, COMSEC monitoring, networ k operations and defense, personnel misconduct (PM), law enforcement (LE), and c ounterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used fo r any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged commun ications, or work product, related to personal representation or services by att orneys, psychotherapists, or clergy, and their assistants. Such communications a nd work product are private and confidential. See User Agreement for details. debug1: Authentications that can continue: publickey,password,keyboard-interacti ve debug3: start over, passed a different list publickey,password,keyboard-interact ive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/id_rsa debug3: no such identity: /.ssh/id_rsa: No such file or directory debug1: Trying private key: /.ssh/id_dsa debug3: no such identity: /.ssh/id_dsa: No such file or directory debug1: Trying private key: /.ssh/id_ecdsa debug3: no such identity: /.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /.ssh/id_ed25519 debug3: no such identity: /.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password root@10.10.2.51's password: debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,password,keyboard-interactive). In the above output, the first prompt is "Password:". The second prompt is "root@10.10.2.51's password:" Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield@xxxxxxxxxxxxx Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com -----Original Message----- From: Ángel González [mailto:keisial@xxxxxxxxx] Sent: Thursday, January 15, 2015 1:28 PM To: Trey Henefield Cc: openssh-unix-dev@xxxxxxxxxxx Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... On 15/01/15 16:29, Trey Henefield wrote: > Greetings, > > I discovered an issue in the latest version of SSH, where the number of password prompts are doubled. If I specify 1, I get 2, and so on. NumberOfPasswordPrompts is a client option. And it is working fine here on 6.7p1: Running ssh -vvv -o NumberOfPasswordPrompts=1 testmachine, I only get asked for a password once, then disconnect. Could you send us the output of such command on your tests? (there isn't anything specially sensitive there, but feel free to obscure any data you son't feel comfortable sharing, such as your username, host name or key ids...) Note that at the server side, the option is called MaxAuthTries, and works differently, counting authentication attempts of any kind. > For OpenSSH, the server does not specifically constrain the number of > pasword authentication attempts. MaxAuthTries (default is 6) is the > maximum number of authentication attempts (of any sort) per connection. -- Ian Morgan last February on "Issue With SSHD Password Guesses" thread Disclaimer The information contained in this communication from trey.henefield@xxxxxxxxxxxxx sent at 2015-01-15 15:47:41 is confidential and may be legally privileged. It is intended solely for use by openssh-unix-dev@xxxxxxxxxxx and others authorized to receive it. If you are not openssh-unix-dev@xxxxxxxxxxx you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev