Password auth turned off in OpenSSH

From: C. Linus Hicks (lhicks_at_nc.rr.com)
Date: 10/09/04

  • Next message: Brad Penoff: "(Open)SSH over SCTP" 
    To: secureshell@securityfocus.com
Date: 09 Oct 2004 16:24:04 -0400

    I posted a similar message to this list earlier, but it was rejected by
    the moderator. Unfortunately the response I got didn't answer my
    question. This message is an attempt to clarify my question.

    Since I have PasswordAuthentication turned off, I was under the
    impression that a brute force password attack on my system was not
    possible. That is, it would not allow anyone to attempt a login by
    providing username/password. The fact that it seems to be allowing
    password authentication has me wondering if there is a bug. Am I not
    understanding what this flag does? When I try to connect from one of my
    other systems via username/password to this ssh server, I don't get the
    chance to enter a password, and my logfiles look different from what
    happens during an attack.

    I do understand that a computer on a public network can be the target of
    brute force password attacks, but doesn't that become impossible when
    public key authentication is the only way allowed?

    So my question is, is there a bug, or do I have something wrong in my
    config file? And do my logfiles really tell me that username/password
    authentication is happening?

    Here is a sample from my log file:

    Oct 4 15:15:09 lh2 sshd[28337]: Could not reverse map address 202.33.56.20.
    Oct 4 15:15:09 lh2 sshd[28337]: Failed password for root from 202.33.56.20 port 47240 ssh2
    Oct 4 15:15:09 lh2 sshd[28337]: Received disconnect from 202.33.56.20: 11: Bye Bye

    I searched the mail archives and also looked on the openssh "Security"
    page for references to a bug, to no avail. And I am wondering: if it is
    a bug, is it fixed in the latest version, but there doesn't seem to be
    any information about it, like it's not a problem. 

    -- 
C. Linus Hicks <lhicks@nc.rr.com>
  • Next message: Brad Penoff: "(Open)SSH over SCTP"

    Relevant Pages

    • Re: Password auth turned off in OpenSSH
      ... > impression that a brute force password attack on my system was not ... > password authentication has me wondering if there is a bug. ... > other systems via username/password to this ssh server, ...
      (SSH)
    • Re: Password auth turned off in OpenSSH
      ... > impression that a brute force password attack on my system was not ... Most clients start an authentication with a request for "none" ... The client will then try whichever of those methods that it ...
      (SSH)