[Bug 2475] Login failure when PasswordAuthentication, ChallengeResponseAuthentication, and PermitEmptyPasswords are all enabled

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed May 23 06:01:00 AEST 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2475

Paul Kapp <paullkapp at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |paullkapp at gmail.com

--- Comment #4 from Paul Kapp <paullkapp at gmail.com> ---
Adding to this bug, since it seems related (PAM set_cred error seems to
match). Likely another set of steps to reproduce.

Observed on various platforms with various OpenSSH versions, with
server configured with PasswordAuthentication=yes, UsePAM=yes,
ChallengeResponseAuthentication=yes.

When the client fails password authentication, and progresses to
keyboard-interactive (ChallengeResponse), there seems to be some
tainted state in the PAM module that causes the server to abruptly drop
the transport connection very soon after acknowledging the (successful)
authentication.

With server configuration options as above (allowing
PasswordAuthencation and keyboard-interactive), run "ssh localhost -o
NumberOfPasswordPrompts=1 -o
PreferredAuthentications=password,keyboard-interactive -v " to
reproduce. An empty password on the first (password) attempt will not
result in reproducing the error, but any non-blank incorrect password
that causes the followup keyboard-interactive attempt (using correct
password) triggers the failure:

---
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
paul at localhost's password: 
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: pledge: network
packet_write_wait: Connection to ::1 port 22: Broken pipe
---

Also note, reversing the client preferred order (failing the
keyboard-interactive attempt, then enter the correct password on the
password authentication attempt) does not result in abrupt disconnect.
The scenario seems to strictly be a password failed followed by
keyboard-interactive success.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list