Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

openssh-2.5.2p2 takes passwords with PasswordAuthentican no ?

1 view
Skip to first unread message

nobody

unread,
Apr 13, 2001, 12:24:04 AM4/13/01
to
The title says it all.

2.5.2p2 seems to insist on taking passwords if I hit enter at the dsa
key challenge, even with PasswordAuthentication no in the sshd_config
file.

Why should this be true ?

nobody

unread,
Apr 13, 2001, 1:01:34 AM4/13/01
to
nobody wrote:

> 2.5.2p2 seems to insist on taking passwords if I hit enter at the dsa
> key challenge, even with PasswordAuthentication no in the sshd_config
> file.

To be more precise, if you configure --with-pam, you can't turn off
password authentication. I did not think that this was the case
before.

Does anyone out there know ?

Thanks.

jose

unread,
Apr 13, 2001, 10:46:56 AM4/13/01
to
nobody wrote:

> To be more precise, if you configure --with-pam, you can't turn off
> password authentication. I did not think that this was the case
> before.

have you configured PAM to allow for other authentications, and disable
password authentication? i'm grabbing at straws here, cuz i don't know
PAM very well.

jose nazario jo...@cwru.edu

Richard E. Silverman

unread,
Apr 15, 2001, 9:57:46 PM4/15/01
to
>>>>> "nobody" == nobody <nob...@localhost.localdomain> writes:

nobody> nobody wrote:
>> 2.5.2p2 seems to insist on taking passwords if I hit enter at the
>> dsa key challenge, even with PasswordAuthentication no in the
>> sshd_config file.

nobody> To be more precise, if you configure --with-pam, you can't
nobody> turn off password authentication. I did not think that this
nobody> was the case before.

I cannot confirm this. Using OpenSSH-2.5.2p2 under Linux, setting
"PasswordAuthentication no" in sshd_config has the expected effect (the
server does not allow password authentication.

Are you sure you restarted sshd after changing the configuration file?

--
Richard Silverman
sl...@shore.net

nobody

unread,
Apr 19, 2001, 8:24:19 PM4/19/01
to
"Richard E. Silverman" wrote:

> nobody> To be more precise, if you configure --with-pam, you can't
> nobody> turn off password authentication. I did not think that this
> nobody> was the case before.
>
> I cannot confirm this. Using OpenSSH-2.5.2p2 under Linux, setting
> "PasswordAuthentication no" in sshd_config has the expected effect (the
> server does not allow password authentication.
>
> Are you sure you restarted sshd after changing the configuration file?

Well, I ran the 'sshd.init stop', and then 'sshd.init start' scripts,
but I didn't manually check (ps auxw | grep ssh) to make sure the daemon
was actually killed, so I'll try again. I used:

$ rm config.cache
$ ./configure --prefix=/usr/local/openssh --with-pam --with-ipv4-default
--with-4in6
$ make
$ su root -c "make install"

I shutdown sshd and confirmed it was not running and then restarted, and
confirmed it was running using the correct config file:

$ ps auxw | grep -i ssh
root 5658 1.0 0.6 1948 880 ? S 16:39 0:01
/usr/local/openssh/sbin/sshd -f /usr/local/openssh/etc/sshd_config

I also checked the contents of the config file:

$ grep -i password /usr/local/openssh/etc/sshd_config
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Uncomment to disable s/key passwords

So let's try to log in, shall we :
$ ssh localhost
Enter passphrase for key '/home/buddy/.ssh/id_dsa': [I hit return]
Password: [I entered my login password]
Last login: Thu Apr 19 15:13:36 2001
$ [I'm in, but I said password no !]

So under RedHat 6.1 + upgrades (including pam-0.72-20.6.x), custom
2.4.0 kernel with openssh-2.5.2p2 STILL gives me a password prompt and
accepts it with 'PasswordAuthentication no'.

In contrast, building without the --with-pam:
$ rm config.cache
$ ./configure --prefix=/usr/local/openssh --with-ipv4-default
--with-4in6
$ make
$su root -c "make install"

Again stopped and started sshd, confirming with ps auxw | grep ssh.
Then tried again:

$ ssh localhost
Enter passphrase for key '/home/buddy/.ssh/id_dsa': [hit return]
Permission denied (publickey,keyboard-interactive).

$ ssh localhost
Enter passphrase for key '/home/buddy/.ssh/id_dsa': [enter passphrase]
Last login: Thu Apr 19 16:43:05 2001 from localhost

Change password to 'yes', stop and restart sshd:

$ ssh localhost
Enter passphrase for key '/home/buddy/.ssh/id_dsa': [hit return]
buddy@localhost's password: [enter password]
Last login: Thu Apr 19 16:53:47 2001 from localhost
$ [password accepted]

But wait, I didn't specify --with-pam, and expected this NOT to work !
(It works with or without an sshd pam file in /etc/pam.d)

Perhaps my pam is all screwed up, or my conception of what the
--with-pam switch is or ought to be doing is wrong, but in any case, I
certainly didn't expect to see a password prompt after setting
'PasswordAuthentication no' in sshd_config, but I do, and I am allowed
to log in.

I have made openssh from a tarball downloaded from Santa Barbara US:

$ md5sum openssh-2.5.2p2.tar.gz
29a2d4d1a506d3adfe86f7a8483858f2 openssh-2.5.2p2.tar.gz
gpg --verify openssh-2.5.2p2.tar.gz.sig - < openssh-2.5.2p2.tar.gz
gpg: Signature made Wed Mar 21 21:07:18 2001 PST using DSA key ID
86FF9C48
gpg: Good signature from "Damien Miller (Personal Key)
<d...@mindrot.org>"

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
gpg: Fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48

Only warnings during compile:

session.c: In function `do_authenticated':
session.c:212: warning: `type' might be used uninitialized in this
function
session.c:249: warning: `success' might be used uninitialized in this
function

Richard E. Silverman

unread,
Apr 20, 2001, 3:47:24 AM4/20/01
to

Run the connections with "ssh -v" to see what's really going on; you don't
know where the first "Password:" prompt is really coming from.

--
Richard Silverman
sl...@shore.net

nobody

unread,
Apr 24, 2001, 3:19:59 AM4/24/01
to
"Richard E. Silverman" wrote:

> Run the connections with "ssh -v" to see what's really going on; you don't
> know where the first "Password:" prompt is really coming from.

Nor do I ultimately care, if it lets me log in with a password ....

Omitting all the initial stuff, after recompiling with --with-pam,
reinstalling, restarting server:

After ssh localhost:

debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/buddy/.ssh/id_rsa
debug1: try pubkey: /home/buddy/.ssh/id_dsa
debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 0x80fda40
hint 2
debug1: PEM_read_PrivateKey failed
debug1: read SSH2 private key done: name <no key> success 0


Enter passphrase for key '/home/buddy/.ssh/id_dsa':

debug1: next auth method to try is keyboard-interactive
Password:
debug1: ssh-userauth2 successful: method keyboard-interactive
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: client_init id 0 arg 0
debug1: channel request 0: shell
debug1: channel 0: open confirm rwindow 0 rmax 16384
Last login: Mon Apr 23 22:07:35 2001

I get the identical debug output r.e. the login after ssh to another
machine, and trying to log back into the machine running the version of
sshd compiled --with-pam. I am certain I got the same response when
trying to directly log into a remote machine running sshd compiled with
the --with-pam switch with PasswordAuthentication no in sshd_config
previously (I'm getting just a bit tired of repeatedly compiling openssh
on 4 different machines).

Yes, the Password: prompt IS coming from different authentication
methods, but what is the difference between password and
keyboard-interactive authentication when they both give a Password
prompt: and allow one to log in with a password ?

Again, with PasswordAuthentication no in sshd_config, but now without
--with-pam

?debug1: read SSH2 private key done: name <no key> success 0
Enter passphrase for key '/home/dlooney/.ssh/id_dsa':
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue:
publickey,keyboard-interactive
debug1: authentications that can continue:
publickey,keyboard-interactive
debug1: authentications that can continue:
publickey,keyboard-interactive
debug1: no more auth methods to try
Permission denied (publickey,keyboard-interactive).
debug1: Calling cleanup 0x805ed1c(0x0)

With "PasswordAuthentication yes" then one goes from public to password
authentication, which permits the login.

If openssh's implementation of keyboard-interactive (yes, I know it can
specify different devices, and doesn't have to be synonymous with
password authentication) defaults to authenticating via unix passwords,
then it should pay attention to PasswordAuthentication settings,
shouldn't it ?

I notice that I have #UseLogin no (by default) in sshd_config, but in
sshd man it says that this is never used for remote (but I could log in
via password on remote machines). I see no switch to turn off
"keyboard-interactive" authentication.

As usual I'm confused.

Richard E. Silverman

unread,
Apr 24, 2001, 10:49:25 AM4/24/01
to

> > Run the connections with "ssh -v" to see what's really going on; you don't
> > know where the first "Password:" prompt is really coming from.
>
> Nor do I ultimately care, if it lets me log in with a password ....

You care for now, as it will help you debug your problem.

> debug1: authentications that can continue:
> publickey,keyboard-interactive
> debug1: next auth method to try is publickey
> debug1: try privkey: /home/buddy/.ssh/id_rsa
> debug1: try pubkey: /home/buddy/.ssh/id_dsa
> debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 0x80fda40
> hint 2
> debug1: PEM_read_PrivateKey failed
> debug1: read SSH2 private key done: name <no key> success 0
> Enter passphrase for key '/home/buddy/.ssh/id_dsa':
> debug1: next auth method to try is keyboard-interactive
> Password:
> debug1: ssh-userauth2 successful: method keyboard-interactive

This shows you two things:

- SSH is trying public-key authentication first, and that is failing for
some reason which is not obvious here. sshd sees that your id_dsa key
is in the authorized_keys2 file, but then rejects the connection
anyway. I would check the server side to find out why (look over the
config and syslog messages, run a connection with sshd -d).

- It then goes on to use keyboard-interactive authentication, not
password. That's why setting "PasswordAuthentication no" does not stop
a "Password:" prompt from appearing.

> Yes, the Password: prompt IS coming from different authentication
> methods, but what is the difference between password and
> keyboard-interactive authentication when they both give a Password
> prompt: and allow one to log in with a password ?

Little visible difference from the point of view of the user. A big
difference in terms of what's actually going on inside, which is what you
need to pay attention to when debugging a problem.

> Again, with PasswordAuthentication no in sshd_config, but now without
> --with-pam

And keyboard-interactive authentication fails, since without PAM it can't
verify your password. No big surprise there.

> With "PasswordAuthentication yes" then one goes from public to password
> authentication, which permits the login.

sshd has built-in code to handle password authentication (in some
situations) when compiled without PAM, which applies only to the SSH
"password" authentication method, not "keyboard-interactive" (which might
not use passwords at all).

> If openssh's implementation of keyboard-interactive ... defaults to


> authenticating via unix passwords, then it should pay attention to
> PasswordAuthentication settings, shouldn't it ?

No, it shouldn't; they have nothing to do with one another. It's not the
"OpenSSH implementation of keyboard-interactive" that's defaulting to
using the account password; it's your PAM configuration for sshd. sshd
has no way of knowing what method PAM will use, or whether it will prompt
for a password at all. Suppose you were using S/Key via
keyboard-interactive, and you wanted to use S/Key exclusively and turn off
password authentication. It would not be very sensible or convenient if
"PasswordAuthentication no" turned off S/Key.

> I see no switch to turn off "keyboard-interactive" authentication.

"KbdInteractiveAuthentication no" (it is unfortunately not documented).

--
Richard Silverman
sl...@shore.net


nobody

unread,
Apr 25, 2001, 2:14:08 AM4/25/01
to
"Richard E. Silverman" wrote:

[r.e. getting a password login prompt with "PasswordAuthentication no"]

> > Nor do I ultimately care, if it lets me log in with a password ....
>
> You care for now, as it will help you debug your problem.

[snip]

> > debug1: next auth method to try is publickey
> > debug1: try privkey: /home/buddy/.ssh/id_rsa
> > debug1: try pubkey: /home/buddy/.ssh/id_dsa
> > debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 0x80fda40
> > hint 2
> > debug1: PEM_read_PrivateKey failed

[snip]

> - SSH is trying public-key authentication first, and that is failing for
> some reason which is not obvious here.

I just hit return, just to get to the other authentication method(s).

> - It then goes on to use keyboard-interactive authentication, not
> password. That's why setting "PasswordAuthentication no" does not stop
> a "Password:" prompt from appearing.

[ what's the difference between password and keyboard=interactive ? ]

> Little visible difference from the point of view of the user. A big
> difference in terms of what's actually going on inside, which is what you
> need to pay attention to when debugging a problem.

[since when built --with-pam on my linux system, keyboard-interactive
ends up using a password, shouldn't it pay attention to the
PasswordAuthentication setting]

> No, it shouldn't; they have nothing to do with one another. It's not the
> "OpenSSH implementation of keyboard-interactive" that's defaulting to
> using the account password; it's your PAM configuration for sshd. sshd
> has no way of knowing what method PAM will use, or whether it will prompt
> for a password at all. Suppose you were using S/Key via
> keyboard-interactive, and you wanted to use S/Key exclusively and turn off
> password authentication. It would not be very sensible or convenient if
> "PasswordAuthentication no" turned off S/Key.

O.K., this is finally starting to make some sense to me. It would be
helpful, however, if a sentence could be added to the README, which
underscored that fact that, if built with PAM support, depending on how
PAM implemented keyboard interactive authentication on your system,
authentication might still depend only on a system password. While most
who build openssh --with-pam are probably planning to use password
authentication anyway, I suspect many might be surprised, as I was using
the contrib/redhat/sshd.pam, that this can occur.

> > I see no switch to turn off "keyboard-interactive" authentication.
>
> "KbdInteractiveAuthentication no" (it is unfortunately not documented).

Except in servconf.c and readconf.c, of course ! Perhaps this line
should be added to the default sshd_config (commented out) as well.

Thank you very, very much for your time and effort. It is greatly
appreciated.

0 new messages