OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

Nico Kadel-Garcia nkadel at gmail.com
Fri Jan 16 17:21:42 AEDT 2015


On Thu, Jan 15, 2015 at 5:54 PM, Trey Henefield
<trey.henefield at ultra-ats.com> wrote:
> Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied.

RHEL 5 is now 2 major releases behind and was released roughly 7 years
ago. Time to update, I think, there have been a *lot* of significant
security and architecture changes that can affect the toolchain used
to build recent versions of OpenSSH.

> I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided.
>
>
> Best regards,
>
>
> Trey Henefield, CISSP
> Senior IAVA Engineer
>
> Ultra Electronics
> Advanced Tactical Systems, Inc.
> 4101 Smith School Road
> Building IV, Suite 100
> Austin, TX 78744 USA
>
> Trey.Henefield at ultra-ats.com
> Tel: +1 512 327 6795 ext. 647
> Fax: +1 512 327 8043
> Mobile: +1 512 541 6450
>
> www.ultra-ats.com
>
> -----Original Message-----
> From: Daniel Kahn Gillmor [dkg at fifthhorseman.net]
> Received: Thursday, 15 Jan 2015, 4:03PM
> To: Trey Henefield [trey.henefield at ultra-ats.com]; Ángel González [keisial at gmail.com]
> CC: openssh-unix-dev at mindrot.org [openssh-unix-dev at mindrot.org]
> Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...
>
> On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:
>> debug3: authmethod_lookup keyboard-interactive
>> debug3: remaining preferred: password
>> debug3: authmethod_is_enabled keyboard-interactive
>> debug1: Next authentication method: keyboard-interactive
>> debug2: userauth_kbdint
>> debug2: we sent a keyboard-interactive packet, wait for reply
>> debug2: input_userauth_info_req
>> debug2: input_userauth_info_req: num_prompts 1
>> Password:
>> debug1: Authentications that can continue: publickey,password,keyboard-interactive
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup password
>> debug3: remaining preferred:
>> debug3: authmethod_is_enabled password
>> debug1: Next authentication method: password
>> root at 10.10.2.51's password:
>> debug2: we sent a password packet, wait for reply
>> debug1: Authentications that can continue: publickey,password,keyboard-interactive
>> debug2: we did not send a packet, disable method
>> debug1: No more authentication methods to try.
>> Permission denied (publickey,password,keyboard-interactive).
>>
>>
>> In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:"
>
> The first prompt is a keyboard-interactive prompt; the second prompt is
> the password prompt.  please try again with
> -oKbdInteractiveAuthentication=no
>
> Regards,
>
>         --dkg
>
> PS if possible, you should probably avoid using password authentication
> for the root account anyway, but that's a sideline to the issue you're
> seeing here.
>
> Disclaimer
> The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 17:54:25 is confidential and may be legally privileged.
> It is intended solely for use by openssh-unix-dev at mindrot.org and others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that
> any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list