Issue With SSHD Password Guesses

Iain Morgan imorgan at nas.nasa.gov
Wed Mar 5 06:46:43 EST 2014


On Tue, Mar 04, 2014 at 08:39:01 +0000, Prashanth Nayanagari -X (pnayanag - HCL TECHNOLOGIES LIMITED at Cisco) wrote:
> Hi,
> 
> Initially when we do ssh from Cisco IOS Router to my linux machine, we use to see only one password prompt , even though we configured number of password prompts in Linux machine to 3.

For OpenSSH, the server does not specifically constrain the number of
pasword authentication attempts. MaxAuthTries (default is 6) is the
maximum number of authentication attempts (of any sort) per connection.
Normally, the number of password prompts is configured by on the client,
not the server. So, how did you attempt to do this? Or, do you really
mean that you were connecting from the Linux box to the Cisco router?

> So, to overcome this issue , someone changed the values in sshd_config file in openssh-3.5pl.

Wow, OpenSSH 3.5p1 is __ancient__! It dates form October, 2002; a _lot_
has changed since then.

> Before Fix
> 
> #ChallengeResponseAuthentication yes
> #PAMAuthenticationViaKbdInt no
> 
> After Fix
> 
> ChallengeResponseAuthentication no
> PAMAuthenticationViaKbdInt no
> 
> So, after this when we do ssh from IOs Router, the number of password prompts got increased, means if we configure 1 in linux device, the number of password prompts for wrong password seen is 2. And if we configure 2, the number of password prompts for wrong password seen is 3.
> 
> So, can you please help me , why the Linux machine is behaving like this.
> We are using openssh-3.5 and ssh version 2.
> 
> Thanks in advance.
> 

To make sure that I am understanding you correctly, initially you were
getting just one password prompt, but after editing the sshd_config you
get one more prompt than you expected. Is that correct?

Are all the prompts identical? It would help to see a sample of how you
are geing prompted. Also, what precisely was changed to try to adjust
the number of password prompts on the server side.

Finally, I feel compelled to recommend that you upgrade OpenSSH to a
more recent version. Aside from the various security enhancements and
bug fixes that have been incorporated over the past decade, it would be
much easire to give useful advise for a version that those on the list
have more recent experience with.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list