Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Richard E. Silverman
August 9, 2003, 12:52 am
rate this thread
You don't say what SSH software you're using. However, the quoted debug
messages indicate you're talking about OpenSSH on the server, so I'll
The OpenSSH server always attempts authentication with a null password,
which it takes as a sign that no authentication is needed for the account
in question. It does this as soon as the authentication process begins,
in both protocols, and not in response any "real" authentication request
from the client (although it does happen in response to the "none" request
in protocol 2). OpenSSH will only allow such access if the sshd_config
flag PermitEmptyPassword is set; unfortunately, the way the code is
written, it performs the password test in any case, and thus shows up to
PAM as a failure.
I consider this a bug: there's no need for this failure to be flagged to
the sysadmin, and OpenSSH should avoid testing the null password if
PermitEmptyPassword is false. Of course, such a failure *should* be
reported if it happens in response to an actual password authentication
request from the client.
There's no option to change this; you'll have to hack the code.
Re: SSH "failed none" syslog entries causing Linux failed login counter to advance.
[snip discussion of "none" auth and trying to login with no password]
There has been some discussion about leaking information (ie the system
responds differently if the account doesn't exist, or you get the
password right but aren't allowed to log on).
I'm not sure either way, I just know that 3.6.1p2 isn't right no matter
which side of the argument you take.
There's a patch attached to the Debian bug for this, near the bottom.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » how to configure ssh after installation on irix 6.5.9 on sgi
- — Previous thread in » Secure Shell Forum
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum