Re: Password auth turned off in OpenSSH

From: Darren Tucker (
Date: 10/12/04

  • Next message: Victor Danilchenko: "Re: OpenSSH -- a way to block recurrent login failures?"
    Date: Tue, 12 Oct 2004 10:48:50 +1000
    To: "C. Linus Hicks" <>

    C. Linus Hicks wrote:
    > Since I have PasswordAuthentication turned off, I was under the
    > impression that a brute force password attack on my system was not
    > possible. That is, it would not allow anyone to attempt a login by
    > providing username/password. The fact that it seems to be allowing
    > password authentication has me wondering if there is a bug. Am I not
    > understanding what this flag does? When I try to connect from one of my
    > other systems via username/password to this ssh server, I don't get the
    > chance to enter a password, and my logfiles look different from what
    > happens during an attack.

    Most clients start an authentication with a request for "none"
    authentication, which generates a list of "authentications that can
    continue". The client will then try whichever of those methods that it
    can, based on its configuration.

    The worm (or whatever it is) appears to not get that list and just try
    password auth, which is why you see the attempts in the log.

    > I do understand that a computer on a public network can be the target of
    > brute force password attacks, but doesn't that become impossible when
    > public key authentication is the only way allowed?
    > So my question is, is there a bug, or do I have something wrong in my
    > config file? And do my logfiles really tell me that username/password
    > authentication is happening?

    They're telling you that a client attempted password authentication and
    that it failed (in this case, because the password authentication is
    entirely disabled). There's nothing the server can do to stop the
    client sending that, the only thing it can do is ignore it (which it
    does, see below).

    > Here is a sample from my log file:
    > Oct 4 15:15:09 lh2 sshd[28337]: Could not reverse map address
    > Oct 4 15:15:09 lh2 sshd[28337]: Failed password for root from port 47240 ssh2
    > Oct 4 15:15:09 lh2 sshd[28337]: Received disconnect from 11: Bye Bye

    In auth2.c, input_userauth_request() does a lookup of the authmethod
    before actually attempting the authentication.

            /* try to authenticate user */
            m = authmethod_lookup(method);
            if (m != NULL) {
                    debug2("input_userauth_request: try method %s", method);
                    authenticated =>m->userauth(authctxt);

    and authmethod_lookup checks the "disabled" flag (this is what
    "PasswordAuthentication no" sets) before returning the method. If you
    have the password method disabled, the authentication will not be tested
    by the server and the userauth request from the client will just fail.

    You can confirm this by turning up the debug level on sshd. You'll get
    a "Unrecognized authentication method name: password" from
    authmethod_lookup and you won't see the "try method" messages for these

    Darren Tucker (dtucker at
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
         Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  • Next message: Victor Danilchenko: "Re: OpenSSH -- a way to block recurrent login failures?"

    Relevant Pages

    • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
      ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
    • Re: Windows Authentication, Single sign on and Active Directory
      ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
      ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    • Re: Sporadic IAS Authentication problems
      ... * Some times however, a physical reboot of the client laptop is required, ... *The remote access policy in IAS is set to grant access to the group 'Domain ... Proxy-Policy-Name = Use Windows authentication for all users ...
    • Re: ISAPI Authentication
      ... The job of your authentication filter is to accept ... non-Windows credentials from the client and then map them to a Windows ...