Re: Password auth turned off in OpenSSH
From: Darren Tucker (dtucker_at_zip.com.au)
Date: 10/12/04
- Previous message: C. Linus Hicks: "Re: Password auth turned off in OpenSSH"
- In reply to: C. Linus Hicks: "Password auth turned off in OpenSSH"
- Next in thread: C. Linus Hicks: "Re: Password auth turned off in OpenSSH"
- Reply: C. Linus Hicks: "Re: Password auth turned off in OpenSSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Oct 2004 10:48:50 +1000 To: "C. Linus Hicks" <lhicks@nc.rr.com>
C. Linus Hicks wrote:
> Since I have PasswordAuthentication turned off, I was under the
> impression that a brute force password attack on my system was not
> possible. That is, it would not allow anyone to attempt a login by
> providing username/password. The fact that it seems to be allowing
> password authentication has me wondering if there is a bug. Am I not
> understanding what this flag does? When I try to connect from one of my
> other systems via username/password to this ssh server, I don't get the
> chance to enter a password, and my logfiles look different from what
> happens during an attack.
Most clients start an authentication with a request for "none"
authentication, which generates a list of "authentications that can
continue". The client will then try whichever of those methods that it
can, based on its configuration.
The worm (or whatever it is) appears to not get that list and just try
password auth, which is why you see the attempts in the log.
> I do understand that a computer on a public network can be the target of
> brute force password attacks, but doesn't that become impossible when
> public key authentication is the only way allowed?
>
> So my question is, is there a bug, or do I have something wrong in my
> config file? And do my logfiles really tell me that username/password
> authentication is happening?
They're telling you that a client attempted password authentication and
that it failed (in this case, because the password authentication is
entirely disabled). There's nothing the server can do to stop the
client sending that, the only thing it can do is ignore it (which it
does, see below).
> Here is a sample from my log file:
>
> Oct 4 15:15:09 lh2 sshd[28337]: Could not reverse map address 202.33.56.20.
> Oct 4 15:15:09 lh2 sshd[28337]: Failed password for root from 202.33.56.20 port 47240 ssh2
> Oct 4 15:15:09 lh2 sshd[28337]: Received disconnect from 202.33.56.20: 11: Bye Bye
In auth2.c, input_userauth_request() does a lookup of the authmethod
before actually attempting the authentication.
/* try to authenticate user */
m = authmethod_lookup(method);
if (m != NULL) {
debug2("input_userauth_request: try method %s", method);
authenticated =>m->userauth(authctxt);
}
and authmethod_lookup checks the "disabled" flag (this is what
"PasswordAuthentication no" sets) before returning the method. If you
have the password method disabled, the authentication will not be tested
by the server and the userauth request from the client will just fail.
You can confirm this by turning up the debug level on sshd. You'll get
a "Unrecognized authentication method name: password" from
authmethod_lookup and you won't see the "try method" messages for these
requests.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- Previous message: C. Linus Hicks: "Re: Password auth turned off in OpenSSH"
- In reply to: C. Linus Hicks: "Password auth turned off in OpenSSH"
- Next in thread: C. Linus Hicks: "Re: Password auth turned off in OpenSSH"
- Reply: C. Linus Hicks: "Re: Password auth turned off in OpenSSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
