Re: sshd "none" method authentication



Thanks Darren.

Yes, we are using PAM.

I'll try "PermitEmptyPasswords no" to see if it can resolve the failure count issue.

One more problem, I found is that when I use authentication by password, though the failure count incremented by one with the none-method, the count is reset with the success of the password authentication. This is not the case when I use publickey authentication, the count is not reset with the success of the publickey authentication.

With BSM enabled, the authlog shows:
Jun 26 15:44:16 wcars99q sshd[8357]: Failed none for root from 192.168.52.2 port 41042 ssh2
Jun 26 15:44:16 wcars99q sshd[8357]: Found matching RSA key: d0:ed:67:be:91:73:c5:12:59:67:2d:a5:f2:c7:79:82
Jun 26 15:44:16 wcars99q sshd[8357]: Postponed publickey for root from 192.168.52.2 port 41042 ssh2
Jun 26 15:44:17 wcars99q sshd[8357]: Found matching RSA key: d0:ed:67:be:91:73:c5:12:59:67:2d:a5:f2:c7:79:82
Jun 26 15:44:17 wcars99q sshd[8357]: Accepted publickey for root from 192.168.52.2 port 41042 ssh2

Thanks,
John

--- On Thu, 6/26/08, Darren Tucker <dtucker@xxxxxxxxxx> wrote:

From: Darren Tucker <dtucker@xxxxxxxxxx>
Subject: Re: sshd "none" method authentication
To: "wc wong" <jwc_wong@xxxxxxxxx>
Cc: secureshell@xxxxxxxxxxxxxxxxx
Date: Thursday, June 26, 2008, 11:43 AM
On Thu, Jun 26, 2008 at 07:38:26AM -0700, wc wong wrote:
I'm using OpenSSH version 4.6p1. I also use -lbsm
flag when running
configure to enable Solaris 10's BSM.

Are you also using PAM?

I notice that the none method failure is counted in
/etc/shadow
as a failed login, but the successful of the publickey
method is
not decrementing the failed login count in
/etc/shadow. Hence
resulting in the user account eventually being locked
with a few
ssh using publickey authentication as described below.
[...]
sshd[743]: Failed none for xxxx from a.b.c.d port xxxx
ssh2
I understand that is required as the first step in
SSHV2 authentication.

Actually, it's not strictly required but most clients
do it.

[...]
I wonder if there is any way to skip returning this
"none" failure to
the Solaris OS resulting in the fail login count being
incremented.

About "none", the spec says something along the
lines of "if the
sessions requires no further authentication the return
success,
otherwise return a list of authentication methods that can
continue".

The way OpenSSH's sshd implements this is that it tries
a passsword
authentication with an empty password, and I suspect this
is what's
tripping your failure counters. If this is what's
happening, You
can prevent this by setting "PermitEmptyPasswords
no" in sshd_config.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7
8FF4 FA69
Good judgement comes with experience. Unfortunately,
the experience
usually comes from bad judgement.