Re: sshd "none" method authentication



On Thu, Jun 26, 2008 at 07:38:26AM -0700, wc wong wrote:
I'm using OpenSSH version 4.6p1. I also use -lbsm flag when running
configure to enable Solaris 10's BSM.

Are you also using PAM?

I notice that the none method failure is counted in /etc/shadow
as a failed login, but the successful of the publickey method is
not decrementing the failed login count in /etc/shadow. Hence
resulting in the user account eventually being locked with a few
ssh using publickey authentication as described below.
[...]
sshd[743]: Failed none for xxxx from a.b.c.d port xxxx ssh2
I understand that is required as the first step in SSHV2 authentication.

Actually, it's not strictly required but most clients do it.

[...]
I wonder if there is any way to skip returning this "none" failure to
the Solaris OS resulting in the fail login count being incremented.

About "none", the spec says something along the lines of "if the
sessions requires no further authentication the return success,
otherwise return a list of authentication methods that can continue".

The way OpenSSH's sshd implements this is that it tries a passsword
authentication with an empty password, and I suspect this is what's
tripping your failure counters. If this is what's happening, You
can prevent this by setting "PermitEmptyPasswords no" in sshd_config.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



Relevant Pages

  • Re: Custom redirectURL
    ... > In Forms based authentication mode, say my login page has to be ... > redirected to "db.aspx" if the login was successful, ... > this redirect without a Response.Redirectusing FormsAuthentication ...
    (microsoft.public.dotnet.framework.aspnet)
  • Authenticated SMTP on Front-End
    ... Need it for IMAP4 clients. ... 250-X-EXPS LOGIN ... 235 2.7.0 Authentication successful. ...
    (microsoft.public.exchange.connectivity)
  • Re: Basic WWW Authentication function fails
    ... "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE ... > AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI ...
    (alt.php)
  • Basic WWW Authentication function fails
    ... "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE ... AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI ... This function fails to authenticate even if the user successfully ...
    (comp.lang.php)
  • Re: Basic WWW Authentication function fails
    ... "authenticate" PHP FUNCTION IS MADE PART OF CORE IN THE FUTURE ... > AUTHENTICATION SUCCESSFUL WITHIN IIS WITH ISAPI ...
    (comp.lang.php)