OpenSSH 2.9p2 with PAMAuthenticationViaKbdInt

Matthew Melvin matthewm at webcentral.com.au
Wed Jun 27 09:59:37 EST 2001


When using PAM to do password authenticaion the attempt/failure counter
appears to be getting confused.  This is using a rh62 system with the
openssh-2.9p2-1 rpms...

On the client side...

[matthewm at toadhall (7) matthewm]$ grep Auth /etc/ssh/ssh_config
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication yes
PreferredAuthentications publickey,keyboard-interactive,password
[matthewm at toadhall (7) matthewm]$ ssh -v localhost
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f
[...]
debug1: Connecting to localhost [127.0.0.1] port 22.
[...]
debug1: Connection established.
[...]
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
[...]
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,keyboard-interactive
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /home/matthewm/.ssh/id_dsa
debug1: authentications that can continue: publickey,keyboard-interactive
debug1: try privkey: /home/matthewm/.ssh/identity
debug1: try pubkey: /home/matthewm/.ssh/id_dsa
debug1: authentications that can continue: publickey,keyboard-interactive
debug1: try privkey: /home/matthewm/.ssh/id_rsa
debug1: next auth method to try is keyboard-interactive
Password:
debug1: authentications that can continue: publickey,keyboard-interactive
Password:
Received disconnect from 127.0.0.1: 2: too many failed userauth_requests
debug1: Calling cleanup 0x8061918(0x0)
[matthewm at toadhall (7) matthewm]$

... and on the server side for the same session...

[root at toadhall (19) ssh]# grep Auth /etc/ssh/sshd_config
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication yes
PAMAuthenticationViaKbdInt yes
[root at toadhall (19) ssh]# sshd -ddd
debug1: Seeding random number generator
debug1: sshd version OpenSSH_2.9p2
[...]
Connection from 127.0.0.1 port 2911
debug1: Client protocol version 2.0; client software version OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.9p2
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
[...]
debug1: KEX done
debug1: userauth-request for user matthewm service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for matthewm
debug1: Starting up PAM with username "matthewm"
debug3: Trying to reverse map address 127.0.0.1.
debug1: PAM setting rhost to "localhost"
debug2: input_userauth_request: try method none
Failed none for matthewm from 127.0.0.1 port 2911 ssh2
debug1: userauth-request for user matthewm service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for matthewm from 127.0.0.1 port 2911 ssh2
debug1: userauth-request for user matthewm service ssh-connection method
publickey
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for matthewm from 127.0.0.1 port 2911 ssh2
debug1: userauth-request for user matthewm service ssh-connection method
keyboard-interactive
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive language  devs
debug1: got 1 responses
Failed keyboard-interactive for matthewm from 127.0.0.1 port 2911 ssh2
debug1: userauth-request for user matthewm service ssh-connection method
keyboard-interactive
debug1: attempt 5 failures 4
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive language  devs
Disconnecting: too many failed userauth_requests
debug1: Calling cleanup 0x8051e50(0x0)
debug1: Calling cleanup 0x8065218(0x0)
[root at toadhall (19) ssh]#

So for one incorrect password the attempt/failure count goes from...

debug1: attempt 3 failures 3

... to...

debug1: attempt 5 failures 4

... and the session is disconnected after entering the second password
regardless of whether it is the correct password or not.  Also it is
disconnecting becuase of too many requests not too many failures which
doesn't seem right does it?

Looking at the source it seems authctxt->attempt++ is being incrimented
twice, once in auth2.c:input_userauth_request() and again in
auth2-pam.c:input_userauth_info_response_pam().

Attached is a patch that fixed these symptoms for me.  Attempt/failure are
incimented one at a time, the last password prompt is no longer ignored, and
the client is only disconnected after 6 (AUTH_FAIL_MAX) failures not after 6
attempts.  I am not completly certain this behaviour matches the original
intent so YMMV...

M.

-- 
WebCentral Pty Ltd           Australia's #1 Internet Web Hosting Company
Level 1, 96 Lytton Road.           Network Operations - Systems Engineer
PO Box 4169, East Brisbane.                       phone: +61 7 3249 2500
Queensland, Australia.                            pgp key id: 0x900E515F



-------------- next part --------------
--- auth2-pam.c.orig	Wed Jun 27 09:43:43 2001
+++ auth2-pam.c	Wed Jun 27 09:44:54 2001
@@ -137,8 +137,8 @@
 	if (authctxt == NULL)
 		fatal("input_userauth_info_response_pam: no authentication context");
 
-	if (authctxt->attempt++ >= AUTH_FAIL_MAX)
-		packet_disconnect("too many failed userauth_requests");
+	if (authctxt->failures >= AUTH_FAIL_MAX)
+		packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 
 	nresp = packet_get_int();	/* Number of responses. */
 	debug("got %d responses", nresp);


More information about the openssh-unix-dev mailing list