auth*.c

Markus Friedl markus at openbsd.org
Thu Jan 3 23:15:36 EST 2002


it's not called because the client decices to close the connection.


On Wed, Jan 02, 2002 at 03:49:08PM -0600, mandar at webchat.chatsystems.com wrote:
> 
> Markus - here's the debug snippet I put in (note the debug2 line). It
> _never_ gets displayed when the server runs in debug, the reason being
> authctxt-> failures doesn't exceed AUTH_FAIL_MAX.
> 
> Interestingly enough on this system, the number of times the methods were
> tried were different - none (authctxt->failures==0), keyboard-interactive
> (1), password (2), password (3), password (4)...five attempts in all. The
> last time I compiled openssh on a different aix box, it ran 7 attempts
> (0-6).
> 
> Haven't dug into the source to figure out what defines the order and
> reptitions for each method. In any case, what I was figuring to do was add
> a catch-all i.e. if _all_ methods have been tried and failed, increment
> unsuccessful login count - I'm assuming that was the intent of the
> original code.  #2 of course was individual increments for the password
> method failures.
> 
> - Mandar
> 
> 
>  debug2("userauth_finish: authctxt->failures = %d", authctxt->failures);
>                 if (authctxt->failures++ > AUTH_FAIL_MAX) {
>                         debug2("userauth_finish: authctxt->failures is %d
> and exceeds max!", authctxt->failures);
> #ifdef WITH_AIXAUTHENTICATE
>                         loginfailed(authctxt->user,
> get_canonical_hostname(options.reverse_mapping_check),"ssh");
> #endif /* WITH_AIXAUTHENTICATE */
>                         packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
>                 }
> 
> 
> On the client:
> ===============
> 
> bigdog:/suptools/bin # lssec -f /etc/security/lastlog -a
> unsuccessful_login_count -s tuser
> tuser unsuccessful_login_count=0
> 
> bigdog:/usr/src/openssh-3.0.2p1 #./ssh -l tuser -p 9900 localhost
> tuser at localhost's password:
> Permission denied, please try again.
> tuser at localhost's password:
> Permission denied, please try again.
> tuser at localhost's password:
> Permission denied (publickey,password,keyboard-interactive).
> 
> bigdog:/usr/src/openssh-3.0.2p1 #lssec -f /etc/security/lastlog -a
> unsuccessful_login_count -s tuser
> tuser unsuccessful_login_count=0
> 
> 
> On the server:
> ===============
> debug1: Server will not fork when running in debugging mode.
> Connection from 127.0.0.1 port 39415
> debug1: Client protocol version 2.0; client software version
> OpenSSH_3.0.2p1
> debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-1.99-OpenSSH_3.0.2p1
> debug1: Rhosts Authentication disabled, originating port 39415 not
> trusted.
> debug1: list_hostkey_types: ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: dh_gen_key: priv key bits set: 131/256
> debug1: bits set: 993/2049
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: bits set: 1036/2049
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user tuser service ssh-connection method none
> debug1: attempt 0 failures 0
> debug2: input_userauth_request: setting up authctxt for tuser
> debug2: input_userauth_request: try method none
> Failed none for tuser from 127.0.0.1 port 39415 ssh2
> debug2: userauth_finish: authctxt->failures = 0
> debug1: userauth-request for user tuser service ssh-connection method
> keyboard-interactive
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method keyboard-interactive
> debug1: keyboard-interactive devs
> debug1: auth2_challenge: user=tuser devs=
> debug1: kbdint_alloc: devices ''
> debug2: auth2_challenge_start: devices
> Failed keyboard-interactive for tuser from 127.0.0.1 port 39415 ssh2
> debug2: userauth_finish: authctxt->failures = 1
> debug1: userauth-request for user tuser service ssh-connection method
> password
> debug1: attempt 2 failures 2
> debug2: input_userauth_request: try method password
> Failed password for tuser from 127.0.0.1 port 39415 ssh2
> debug2: userauth_finish: authctxt->failures = 2
> debug1: userauth-request for user tuser service ssh-connection method
> password
> debug1: attempt 3 failures 3
> debug2: input_userauth_request: try method password
> Failed password for tuser from 127.0.0.1 port 39415 ssh2
> debug2: userauth_finish: authctxt->failures = 3
> debug1: userauth-request for user tuser service ssh-connection method
> password
> debug1: attempt 4 failures 4
> debug2: input_userauth_request: try method password
> Failed password for tuser from 127.0.0.1 port 39415 ssh2
> debug2: userauth_finish: authctxt->failures = 4
> Connection closed by 127.0.0.1
> debug1: Calling cleanup 0x20011bac(0x0)
> debug1: Calling cleanup 0x20011d28(0x0)
> debug1: writing PRNG seed to file //.ssh/prng_seed
> 
> 
> 
> On Thu, 27 Dec 2001, Markus Friedl wrote:
> 
> > Date: Thu, 27 Dec 2001 13:01:30 +0100
> > From: Markus Friedl <markus at openbsd.org>
> > To: mandar at webchat.chatsystems.com
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: auth*.c
> >
> > On Tue, Dec 25, 2001 at 06:34:36PM -0600, mandar at webchat.chatsystems.com wrote:
> > > Folks,
> > >
> > > During testing, we found a couple of issues with openssh3.0.2p1:
> > >
> > > 1. In userauth_finish() in auth2.c (as well as in do_authloop in auth1.c),
> > > the foll. check:
> > >
> > >   if (authctxt->failures++ > AUTH_FAIL_MAX)
> > >
> > > is never satisfied and thus packet_disconnect() never gets called. I
> > > suspect the code just drops out of the dispatch_run function list instead.
> > > This should be an == instead of >. While looking at the debug output
> > > when deliberately entering wrong passwords, I noticed one try for none,
> > > three for password, and then three for keyboard-interactive, at which point
> > > authctxt->failures is 6, and then the loop completes.
> >
> > sorry, i don't understand.
> >
> 



More information about the openssh-unix-dev mailing list