Re: Password auth turned off in OpenSSH

From: Darren Tucker (dtucker_at_zip.com.au)
Date: 10/12/04

  • Next message: Victor Danilchenko: "Re: OpenSSH -- a way to block recurrent login failures?"
    Date: Tue, 12 Oct 2004 10:48:50 +1000
    To: "C. Linus Hicks" <lhicks@nc.rr.com>
    
    

    C. Linus Hicks wrote:
    > Since I have PasswordAuthentication turned off, I was under the
    > impression that a brute force password attack on my system was not
    > possible. That is, it would not allow anyone to attempt a login by
    > providing username/password. The fact that it seems to be allowing
    > password authentication has me wondering if there is a bug. Am I not
    > understanding what this flag does? When I try to connect from one of my
    > other systems via username/password to this ssh server, I don't get the
    > chance to enter a password, and my logfiles look different from what
    > happens during an attack.

    Most clients start an authentication with a request for "none"
    authentication, which generates a list of "authentications that can
    continue". The client will then try whichever of those methods that it
    can, based on its configuration.

    The worm (or whatever it is) appears to not get that list and just try
    password auth, which is why you see the attempts in the log.

    > I do understand that a computer on a public network can be the target of
    > brute force password attacks, but doesn't that become impossible when
    > public key authentication is the only way allowed?
    >
    > So my question is, is there a bug, or do I have something wrong in my
    > config file? And do my logfiles really tell me that username/password
    > authentication is happening?

    They're telling you that a client attempted password authentication and
    that it failed (in this case, because the password authentication is
    entirely disabled). There's nothing the server can do to stop the
    client sending that, the only thing it can do is ignore it (which it
    does, see below).

    > Here is a sample from my log file:
    >
    > Oct 4 15:15:09 lh2 sshd[28337]: Could not reverse map address 202.33.56.20.
    > Oct 4 15:15:09 lh2 sshd[28337]: Failed password for root from 202.33.56.20 port 47240 ssh2
    > Oct 4 15:15:09 lh2 sshd[28337]: Received disconnect from 202.33.56.20: 11: Bye Bye

    In auth2.c, input_userauth_request() does a lookup of the authmethod
    before actually attempting the authentication.

            /* try to authenticate user */
            m = authmethod_lookup(method);
            if (m != NULL) {
                    debug2("input_userauth_request: try method %s", method);
                    authenticated =>m->userauth(authctxt);
            }

    and authmethod_lookup checks the "disabled" flag (this is what
    "PasswordAuthentication no" sets) before returning the method. If you
    have the password method disabled, the authentication will not be tested
    by the server and the userauth request from the client will just fail.

    You can confirm this by turning up the debug level on sshd. You'll get
    a "Unrecognized authentication method name: password" from
    authmethod_lookup and you won't see the "try method" messages for these
    requests.

    -- 
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
         Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.
    

  • Next message: Victor Danilchenko: "Re: OpenSSH -- a way to block recurrent login failures?"