RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



So it appears that I am getting a keyboard-interactive prompt and then a password prompt.

Here is the output of the requested command:

ssh -vvv -o NumberOfPasswordPrompts=1 -t root@10.10.2.51

OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /cygdrive/c/progra~1/OpenSSH/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.10.2.51 [10.10.2.51] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "10.10.2.51" from file "/.ssh/kn
own_hosts"
debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01@xxxxxxxxxxx,
ssh-ed25519
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-
sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hel
lman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-ed25519,ecdsa-sh
a2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-
sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01
@openssh.com,ssh-rsa-cert-v00@xxxxxxxxxxx,ssh-dss-cert-v00@xxxxxxxxxxx,ecdsa-sha
2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.c
om,aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx,arcfour256,arcfour128,ae
s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae
l-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.c
om,aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx,arcfour256,arcfour128,ae
s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae
l-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac
-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxx
m,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
,hmac-md5-etm@xxxxxxxxxxx,hmac-ripemd160-etm@xxxxxxxxxxx,hmac-sha1-96-etm@openss
h.com,hmac-md5-96-etm@xxxxxxxxxxx,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh
.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac
-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxx
m,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
,hmac-md5-etm@xxxxxxxxxxx,hmac-ripemd160-etm@xxxxxxxxxxx,hmac-sha1-96-etm@openss
h.com,hmac-md5-96-etm@xxxxxxxxxxx,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh
.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exc
hange-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: setup hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ED25519 17:99:91:c2:9d:f4:9a:6c:b3:ab:50:c5:e8:eb:a3:70

debug3: load_hostkeys: loading entries for host "10.10.2.51" from file "/.ssh/kn
own_hosts"
debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '10.10.2.51' is known and matches the ED25519 host key.
debug1: Found key in /.ssh/known_hosts:1
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /.ssh/id_rsa (0x0),
debug2: key: /.ssh/id_dsa (0x0),
debug2: key: /.ssh/id_ecdsa (0x0),
debug2: key: /.ssh/id_ed25519 (0x0),
debug3: input_userauth_banner
You are accessing a U.S. Government (USG) Information System (IS) that is provid
ed for USG-authorized use only. By using this IS (which includes any device atta
ched to this IS), you consent to the following conditions:
- The USG routinely intercepts and monitors communications on this IS for purpos
es including, but not limited to, penetration testing, COMSEC monitoring, networ
k operations and defense, personnel misconduct (PM), law enforcement (LE), and c
ounterintelligence (CI) investigations.
- At any time, the USG may inspect and seize data stored on this IS.
- Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used fo
r any USG-authorized purpose.
- This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
- Notwithstanding the above, using this IS does not constitute consent to PM, LE
 or CI investigative searching or monitoring of the content of privileged commun
ications, or work product, related to personal representation or services by att
orneys, psychotherapists, or clergy, and their assistants. Such communications a
nd work product are private and confidential. See User Agreement for details.
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug3: start over, passed a different list publickey,password,keyboard-interact
ive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_rsa: No such file or directory
debug1: Trying private key: /.ssh/id_dsa
debug3: no such identity: /.ssh/id_dsa: No such file or directory
debug1: Trying private key: /.ssh/id_ecdsa
debug3: no such identity: /.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /.ssh/id_ed25519
debug3: no such identity: /.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@10.10.2.51's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).


In the above output, the first prompt is "Password:". The second prompt is "root@10.10.2.51's password:"


Best regards,
 

Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield@xxxxxxxxxxxxx
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: Ángel González [mailto:keisial@xxxxxxxxx] 
Sent: Thursday, January 15, 2015 1:28 PM
To: Trey Henefield
Cc: openssh-unix-dev@xxxxxxxxxxx
Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

On 15/01/15 16:29, Trey Henefield wrote:
> Greetings,
>
> I discovered an issue in the latest version of SSH, where the number of password prompts are doubled. If I specify 1, I get 2, and so on.

NumberOfPasswordPrompts is a client option. And it is working fine here on 6.7p1:

Running ssh -vvv -o NumberOfPasswordPrompts=1 testmachine, I only get asked for a password once, then disconnect.

Could you send us the output of such command on your tests?
(there isn't anything specially sensitive there, but feel free to obscure any data you son't feel comfortable sharing, such as your username, host name or key ids...)


Note that at the server side, the option is called MaxAuthTries, and works differently, counting authentication attempts of any kind.
> For OpenSSH, the server does not specifically constrain the number of 
> pasword authentication attempts. MaxAuthTries (default is 6) is the 
> maximum number of authentication attempts (of any sort) per connection.
-- Ian Morgan last February on "Issue With SSHD Password Guesses" thread

Disclaimer
The information contained in this communication from trey.henefield@xxxxxxxxxxxxx sent at 2015-01-15 15:47:41 is confidential and may be legally privileged.
It is intended solely for use by openssh-unix-dev@xxxxxxxxxxx and others authorized to receive it. If you are not openssh-unix-dev@xxxxxxxxxxx you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux