Problem and Patch: Multiple keys in ssh.com V2 agent

Ulrich Kiermayr uk at ap.univie.ac.at
Thu Nov 30 21:06:13 EST 2000 

Hello!

I recently discoverd a problem with ssh.com's ssh-agent2 and OpenSSH:

If I have more than one key in my agent, then the agent tries to
authenticicate me with every one of them at the OpenSSH server; but none
of them is a valid key for that server. The Problem is that the Server
increments the authctxt->attempt at every of that tries. So even if you
want to login with a password at that server, you have to disable the
agent first in order to get that chance. If the agent is running, you run
out of tries _before_ you are able to enter a password.

I have patched a little at auth2.c and auth.h [1], but I am absoluteley
not sure if that patch is 100% ok and does not cause any other Problems. For
me it works fine :)

The errors in the sshd:
debug1: userauth-request for user XXXXXX service ssh-connection method none
debug1: attempt #1
debug1: Starting up PAM with username "XXXXXX"
Failed none for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh2
debug1: userauth-request for user XXXXXX service ssh-connection method publickey
debug1: attempt #2
debug1: test whether pkalg/pkblob are acceptable
Failed publickey for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh2
debug1: userauth-request for user XXXXXX service ssh-connection method publickey
debug1: attempt #3
debug1: test whether pkalg/pkblob are acceptable
Failed publickey for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh2
debug1: userauth-request for user XXXXXX service ssh-connection method publickey
debug1: attempt #4
debug1: test whether pkalg/pkblob are acceptable
Failed publickey for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh2
debug1: userauth-request for user XXXXXX service ssh-connection method publickey
debug1: attempt #5
debug1: test whether pkalg/pkblob are acceptable
Failed publickey for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh2
debug1: userauth-request for user XXXXXX service ssh-connection method none
debug1: attempt #6
Failed none for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh2
Disconnecting: too many failed userauth_requests
debug1: Calling cleanup 0x12000c640(0x0)
debug1: Calling cleanup 0x120029180(0x0)

For the Record:
Client:	ssh: SSH Secure Shell 2.3.0 (non-commercial version) on
             i686-pc-linux-gnu
        RedHat Linux 6.2 (i386)

Server: sshd version OpenSSH_2.3.0p1
	RedHat Linux 6.2 (alpha)

[1] My crude solution is not to increment the counter, if method is
    pubkey. I am not sure if this is a good idea, but at least i am able
    to log into that machine again without 'ssh-add -L' before. The main
    problem is that I have no way of testing that patch under other
    Platforms than Linux.

P.S.:   the same proble occurs if OpenSSH 2.1 under AIX is server.
P.P.S.: If this bug was addressed before, please tell me where to find a
        fix and forget the rest :)

LL&P uk
-- 
---------------------------------------------------------------------------
Ulrich Kiermayr            Zentraler Informatikdienst der Universitaet Wien
Security Team                      Boltzmanngasse 5, A-1090 Vienna, Austria
---------------------------------------------------------------------------
eMail:   ulrich.kiermayr at univie.ac.at             Tel: (+43 1) 4277 / 14104
Hotline: security.zid at univie.ac.at                Fax: (+43 1) 4277 /  9141
Web:     http://www.univie.ac.at/zid/security
---------------------------------------------------------------------------
   GPG Key fingerprint = BF0D 5749 4DC1 ED74 AB67  7180 105F 491D A8D7 64D8
-------------- next part --------------
diff -ru openssh-2.3.0p1.orig/auth.h openssh-2.3.0p1/auth.h
--- openssh-2.3.0p1.orig/auth.h	Thu Nov 30 08:59:39 2000
+++ openssh-2.3.0p1/auth.h	Thu Nov 30 10:32:54 2000
@@ -45,8 +45,8 @@
 int	allowed_user(struct passwd * pw);
 struct passwd * auth_get_user(void);
 
-#define AUTH_FAIL_MAX 6
-#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
+#define AUTH_FAIL_MAX 5
+#define AUTH_FAIL_LOG AUTH_FAIL_MAX
 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
 
 #endif
diff -ru openssh-2.3.0p1.orig/auth2.c openssh-2.3.0p1/auth2.c
--- openssh-2.3.0p1.orig/auth2.c	Thu Nov 30 08:59:39 2000
+++ openssh-2.3.0p1/auth2.c	Thu Nov 30 10:37:56 2000
@@ -189,21 +189,14 @@
 	char *user, *service, *method;
 	int authenticated = 0;
 
+	authctxt->attempt++;
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
-	if (authctxt->attempt++ >= AUTH_FAIL_MAX) {
-#ifdef WITH_AIXAUTHENTICATE 
-		loginfailed(authctxt->user?authctxt->user:"NOUSER", 
-			get_canonical_hostname(), "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
-		packet_disconnect("too many failed userauth_requests");
-	}
-
 	user = packet_get_string(NULL);
 	service = packet_get_string(NULL);
 	method = packet_get_string(NULL);
 	debug("userauth-request for user %s service %s method %s", user, service, method);
-	debug("attempt #%d", authctxt->attempt);
+	debug("attempt #%d of %d", authctxt->attempt, AUTH_FAIL_MAX);
 
 	if (authctxt->attempt == 1) { 
 		/* setup auth context */
@@ -254,6 +247,18 @@
 	if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
 		authenticated = 0;
 #endif /* USE_PAM */
+
+	if (authenticated == 0 && authctxt->attempt >= AUTH_FAIL_MAX) {
+#ifdef WITH_AIXAUTHENTICATE 
+		loginfailed(authctxt->user?authctxt->user:"NOUSER", 
+			get_canonical_hostname(), "ssh");
+#endif /* WITH_AIXAUTHENTICATE */
+		packet_disconnect("too many failed userauth_requests");
+	}
+	if ( strcmp(method,"publickey") == 0 ) {
+		authctxt->attempt--;
+	}
+
 
 	/* Log before sending the reply */
 	userauth_log(authctxt, authenticated, method);

More information about the openssh-unix-dev mailing list