OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

Trey Henefield trey.henefield at ultra-ats.com
Fri Jan 16 09:54:20 AEDT 2015 

Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied.

I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided.


Best regards,


Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: Daniel Kahn Gillmor [dkg at fifthhorseman.net]
Received: Thursday, 15 Jan 2015, 4:03PM
To: Trey Henefield [trey.henefield at ultra-ats.com]; Ángel González [keisial at gmail.com]
CC: openssh-unix-dev at mindrot.org [openssh-unix-dev at mindrot.org]
Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug1: Authentications that can continue: publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> root at 10.10.2.51's password:
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue: publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey,password,keyboard-interactive).
>
>
> In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:"

The first prompt is a keyboard-interactive prompt; the second prompt is
the password prompt.  please try again with
-oKbdInteractiveAuthentication=no

Regards,

        --dkg

PS if possible, you should probably avoid using password authentication
for the root account anyway, but that's a sideline to the issue you're
seeing here.

Disclaimer
The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 17:54:25 is confidential and may be legally privileged.
It is intended solely for use by openssh-unix-dev at mindrot.org and others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.

More information about the openssh-unix-dev mailing list