auth*.c

mandar at webchat.chatsystems.com mandar at webchat.chatsystems.com
Thu Jan 3 08:49:08 EST 2002


Markus - here's the debug snippet I put in (note the debug2 line). It
_never_ gets displayed when the server runs in debug, the reason being
authctxt-> failures doesn't exceed AUTH_FAIL_MAX.

Interestingly enough on this system, the number of times the methods were
tried were different - none (authctxt->failures==0), keyboard-interactive
(1), password (2), password (3), password (4)...five attempts in all. The
last time I compiled openssh on a different aix box, it ran 7 attempts
(0-6).

Haven't dug into the source to figure out what defines the order and
reptitions for each method. In any case, what I was figuring to do was add
a catch-all i.e. if _all_ methods have been tried and failed, increment
unsuccessful login count - I'm assuming that was the intent of the
original code.  #2 of course was individual increments for the password
method failures.

- Mandar


 debug2("userauth_finish: authctxt->failures = %d", authctxt->failures);
                if (authctxt->failures++ > AUTH_FAIL_MAX) {
                        debug2("userauth_finish: authctxt->failures is %d
and exceeds max!", authctxt->failures);
#ifdef WITH_AIXAUTHENTICATE
                        loginfailed(authctxt->user,
get_canonical_hostname(options.reverse_mapping_check),"ssh");
#endif /* WITH_AIXAUTHENTICATE */
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }


On the client:
===============

bigdog:/suptools/bin # lssec -f /etc/security/lastlog -a
unsuccessful_login_count -s tuser
tuser unsuccessful_login_count=0

bigdog:/usr/src/openssh-3.0.2p1 #./ssh -l tuser -p 9900 localhost
tuser at localhost's password:
Permission denied, please try again.
tuser at localhost's password:
Permission denied, please try again.
tuser at localhost's password:
Permission denied (publickey,password,keyboard-interactive).

bigdog:/usr/src/openssh-3.0.2p1 #lssec -f /etc/security/lastlog -a
unsuccessful_login_count -s tuser
tuser unsuccessful_login_count=0


On the server:
===============
debug1: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 39415
debug1: Client protocol version 2.0; client software version
OpenSSH_3.0.2p1
debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.0.2p1
debug1: Rhosts Authentication disabled, originating port 39415 not
trusted.
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 131/256
debug1: bits set: 993/2049
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1036/2049
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user tuser service ssh-connection method none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for tuser
debug2: input_userauth_request: try method none
Failed none for tuser from 127.0.0.1 port 39415 ssh2
debug2: userauth_finish: authctxt->failures = 0
debug1: userauth-request for user tuser service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=tuser devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for tuser from 127.0.0.1 port 39415 ssh2
debug2: userauth_finish: authctxt->failures = 1
debug1: userauth-request for user tuser service ssh-connection method
password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
Failed password for tuser from 127.0.0.1 port 39415 ssh2
debug2: userauth_finish: authctxt->failures = 2
debug1: userauth-request for user tuser service ssh-connection method
password
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method password
Failed password for tuser from 127.0.0.1 port 39415 ssh2
debug2: userauth_finish: authctxt->failures = 3
debug1: userauth-request for user tuser service ssh-connection method
password
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method password
Failed password for tuser from 127.0.0.1 port 39415 ssh2
debug2: userauth_finish: authctxt->failures = 4
Connection closed by 127.0.0.1
debug1: Calling cleanup 0x20011bac(0x0)
debug1: Calling cleanup 0x20011d28(0x0)
debug1: writing PRNG seed to file //.ssh/prng_seed



On Thu, 27 Dec 2001, Markus Friedl wrote:

> Date: Thu, 27 Dec 2001 13:01:30 +0100
> From: Markus Friedl <markus at openbsd.org>
> To: mandar at webchat.chatsystems.com
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: auth*.c
>
> On Tue, Dec 25, 2001 at 06:34:36PM -0600, mandar at webchat.chatsystems.com wrote:
> > Folks,
> >
> > During testing, we found a couple of issues with openssh3.0.2p1:
> >
> > 1. In userauth_finish() in auth2.c (as well as in do_authloop in auth1.c),
> > the foll. check:
> >
> >   if (authctxt->failures++ > AUTH_FAIL_MAX)
> >
> > is never satisfied and thus packet_disconnect() never gets called. I
> > suspect the code just drops out of the dispatch_run function list instead.
> > This should be an == instead of >. While looking at the debug output
> > when deliberately entering wrong passwords, I noticed one try for none,
> > three for password, and then three for keyboard-interactive, at which point
> > authctxt->failures is 6, and then the loop completes.
>
> sorry, i don't understand.
>




More information about the openssh-unix-dev mailing list