Re: sshd "none" method authentication

Thanks Darren.

Yes, we are using PAM.

I'll try "PermitEmptyPasswords no" to see if it can resolve the failure count issue.

One more problem, I found is that when I use authentication by password, though the failure count incremented by one with the none-method, the count is reset with the success of the password authentication. This is not the case when I use publickey authentication, the count is not reset with the success of the publickey authentication.

With BSM enabled, the authlog shows:
Jun 26 15:44:16 wcars99q sshd[8357]: Failed none for root from port 41042 ssh2
Jun 26 15:44:16 wcars99q sshd[8357]: Found matching RSA key: d0:ed:67:be:91:73:c5:12:59:67:2d:a5:f2:c7:79:82
Jun 26 15:44:16 wcars99q sshd[8357]: Postponed publickey for root from port 41042 ssh2
Jun 26 15:44:17 wcars99q sshd[8357]: Found matching RSA key: d0:ed:67:be:91:73:c5:12:59:67:2d:a5:f2:c7:79:82
Jun 26 15:44:17 wcars99q sshd[8357]: Accepted publickey for root from port 41042 ssh2


--- On Thu, 6/26/08, Darren Tucker <dtucker@xxxxxxxxxx> wrote:

From: Darren Tucker <dtucker@xxxxxxxxxx>
Subject: Re: sshd "none" method authentication
To: "wc wong" <jwc_wong@xxxxxxxxx>
Cc: secureshell@xxxxxxxxxxxxxxxxx
Date: Thursday, June 26, 2008, 11:43 AM
On Thu, Jun 26, 2008 at 07:38:26AM -0700, wc wong wrote:
I'm using OpenSSH version 4.6p1. I also use -lbsm
flag when running
configure to enable Solaris 10's BSM.

Are you also using PAM?

I notice that the none method failure is counted in
as a failed login, but the successful of the publickey
method is
not decrementing the failed login count in
/etc/shadow. Hence
resulting in the user account eventually being locked
with a few
ssh using publickey authentication as described below.
sshd[743]: Failed none for xxxx from a.b.c.d port xxxx
I understand that is required as the first step in
SSHV2 authentication.

Actually, it's not strictly required but most clients
do it.

I wonder if there is any way to skip returning this
"none" failure to
the Solaris OS resulting in the fail login count being

About "none", the spec says something along the
lines of "if the
sessions requires no further authentication the return
otherwise return a list of authentication methods that can

The way OpenSSH's sshd implements this is that it tries
a passsword
authentication with an empty password, and I suspect this
is what's
tripping your failure counters. If this is what's
happening, You
can prevent this by setting "PermitEmptyPasswords
no" in sshd_config.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7
8FF4 FA69
Good judgement comes with experience. Unfortunately,
the experience
usually comes from bad judgement.

Relevant Pages

  • RE: SSH with OpenSSH and Putty - Please Help!
    ... It looks like your config file doesn't state exactly which file needs to be ... you may need to truss sshd or run sshd in debug foreground mode ... Then test and see if your key-based authentication works. ... Event Log: No supported authentications offered. ...
  • Re: sshd
    ... # RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they ... # if you wish to restrict the interfaces sshd listens on for a multi homed host. ... # Banner to be printed before authentication starts. ... # Note that the client may also be sending keep alive messages to the server. ...
  • Re: Password Protocols.
    ... And just wait until you see what they do after 3 failed authentication ... If engineered properly such a failure mode will not be possible. ... correctly identifies YOUR iris pattern as not matching the authorized ... users of *my* bank account, ...
  • Re: OpenSSH and pam_krb5
    ... > with GSSAPI and PAM authentication. ... this data is present in a separate process (the "authentication ... application (ie sshd). ...
  • Re: openssh / cygwin : public key authentication
    ... The sshd is launch by user "a" which exist in W2000 and the association is ... When I use public key authentication from a remote host to this one as ... The system account does of course own that user rights by default. ... RSA authentication anyway. ...