OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

Fri Jan 16 07:47:33 AEDT 2015

So it appears that I am getting a keyboard-interactive prompt and then a password prompt.

Here is the output of the requested command:

ssh -vvv -o NumberOfPasswordPrompts=1 -t root at 10.10.2.51

OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /cygdrive/c/progra~1/OpenSSH/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.10.2.51 [10.10.2.51] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "10.10.2.51" from file "/.ssh/kn
own_hosts"
debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,
ssh-ed25519
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-
sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hel
lman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519,ecdsa-sh
a2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-
sha2-nistp521-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01
@openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha
2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.c
om,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,arcfour256,arcfour128,ae
s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae
l-cbc at lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.c
om,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,arcfour256,arcfour128,ae
s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae
l-cbc at lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac
-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.co
m,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openss
h.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh
.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac
-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.co
m,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openss
h.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh
.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,diffie-hellman-group-exc
hange-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: setup hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ED25519 17:99:91:c2:9d:f4:9a:6c:b3:ab:50:c5:e8:eb:a3:70

debug3: load_hostkeys: loading entries for host "10.10.2.51" from file "/.ssh/kn
own_hosts"
debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '10.10.2.51' is known and matches the ED25519 host key.
debug1: Found key in /.ssh/known_hosts:1
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /.ssh/id_rsa (0x0),
debug2: key: /.ssh/id_dsa (0x0),
debug2: key: /.ssh/id_ecdsa (0x0),
debug2: key: /.ssh/id_ed25519 (0x0),
debug3: input_userauth_banner
You are accessing a U.S. Government (USG) Information System (IS) that is provid
ed for USG-authorized use only. By using this IS (which includes any device atta
ched to this IS), you consent to the following conditions:
- The USG routinely intercepts and monitors communications on this IS for purpos
es including, but not limited to, penetration testing, COMSEC monitoring, networ
k operations and defense, personnel misconduct (PM), law enforcement (LE), and c
ounterintelligence (CI) investigations.
- At any time, the USG may inspect and seize data stored on this IS.
- Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used fo
r any USG-authorized purpose.
- This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
- Notwithstanding the above, using this IS does not constitute consent to PM, LE
 or CI investigative searching or monitoring of the content of privileged commun
ications, or work product, related to personal representation or services by att
orneys, psychotherapists, or clergy, and their assistants. Such communications a
nd work product are private and confidential. See User Agreement for details.
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug3: start over, passed a different list publickey,password,keyboard-interact
ive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_rsa: No such file or directory
debug1: Trying private key: /.ssh/id_dsa
debug3: no such identity: /.ssh/id_dsa: No such file or directory
debug1: Trying private key: /.ssh/id_ecdsa
debug3: no such identity: /.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /.ssh/id_ed25519
debug3: no such identity: /.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root at 10.10.2.51's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).

In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:"

Best regards,

Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: Ángel González [mailto:keisial at gmail.com] 
Sent: Thursday, January 15, 2015 1:28 PM
To: Trey Henefield
Cc: openssh-unix-dev at mindrot.org
Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

On 15/01/15 16:29, Trey Henefield wrote:
> Greetings,
>
> I discovered an issue in the latest version of SSH, where the number of password prompts are doubled. If I specify 1, I get 2, and so on.

NumberOfPasswordPrompts is a client option. And it is working fine here on 6.7p1:

Running ssh -vvv -o NumberOfPasswordPrompts=1 testmachine, I only get asked for a password once, then disconnect.

Could you send us the output of such command on your tests?
(there isn't anything specially sensitive there, but feel free to obscure any data you son't feel comfortable sharing, such as your username, host name or key ids...)

Note that at the server side, the option is called MaxAuthTries, and works differently, counting authentication attempts of any kind.
> For OpenSSH, the server does not specifically constrain the number of 
> pasword authentication attempts. MaxAuthTries (default is 6) is the 
> maximum number of authentication attempts (of any sort) per connection.
-- Ian Morgan last February on "Issue With SSHD Password Guesses" thread

Disclaimer
The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 15:47:41 is confidential and may be legally privileged.
It is intended solely for use by openssh-unix-dev at mindrot.org and others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.