Re: sshd "none" method authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Darren.

Yes, we are using PAM.

I'll try "PermitEmptyPasswords no" to see if it can resolve the failure count issue.

One more problem, I found is that when I use authentication by password, though the failure count incremented by one with the none-method, the count is reset with the success of the password authentication. This is not the case when I use publickey authentication, the count is not reset with the success of the publickey authentication.

With BSM enabled, the authlog shows:
Jun 26 15:44:16 wcars99q sshd[8357]: Failed none for root from 192.168.52.2 port 41042 ssh2
Jun 26 15:44:16 wcars99q sshd[8357]: Found matching RSA key: d0:ed:67:be:91:73:c5:12:59:67:2d:a5:f2:c7:79:82
Jun 26 15:44:16 wcars99q sshd[8357]: Postponed publickey for root from 192.168.52.2 port 41042 ssh2
Jun 26 15:44:17 wcars99q sshd[8357]: Found matching RSA key: d0:ed:67:be:91:73:c5:12:59:67:2d:a5:f2:c7:79:82
Jun 26 15:44:17 wcars99q sshd[8357]: Accepted publickey for root from 192.168.52.2 port 41042 ssh2

Thanks,
John

--- On Thu, 6/26/08, Darren Tucker <dtucker@xxxxxxxxxx> wrote:

> From: Darren Tucker <dtucker@xxxxxxxxxx>
> Subject: Re: sshd "none" method authentication
> To: "wc wong" <jwc_wong@xxxxxxxxx>
> Cc: secureshell@xxxxxxxxxxxxxxxxx
> Date: Thursday, June 26, 2008, 11:43 AM
> On Thu, Jun 26, 2008 at 07:38:26AM -0700, wc wong wrote:
> > I'm using OpenSSH version 4.6p1. I also use -lbsm
> flag when running
> > configure to enable Solaris 10's BSM.
> 
> Are you also using PAM?
> 
> > I notice that the none method failure is counted in
> /etc/shadow
> > as a failed login, but the successful of the publickey
> method is
> > not decrementing the failed login count in
> /etc/shadow. Hence
> > resulting in the user account eventually being locked
> with a few
> > ssh using publickey authentication as described below.
> [...]
> > sshd[743]: Failed none for xxxx from a.b.c.d port xxxx
> ssh2
> > I understand that is required as the first step in
> SSHV2 authentication.
> 
> Actually, it's not strictly required but most clients
> do it.
> 
> [...]
> > I wonder if there is any way to skip returning this
> "none" failure to
> > the Solaris OS resulting in the fail login count being
> incremented.
> 
> About "none", the spec says something along the
> lines of "if the
> sessions requires no further authentication the return
> success,
> otherwise return a list of authentication methods that can
> continue".
> 
> The way OpenSSH's sshd implements this is that it tries
> a passsword
> authentication with an empty password, and I suspect this
> is what's
> tripping your failure counters.  If this is what's
> happening, You
> can prevent this by setting "PermitEmptyPasswords
> no" in sshd_config.
> 
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7
> 8FF4 FA69
>     Good judgement comes with experience. Unfortunately,
> the experience
> usually comes from bad judgement.
[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux