OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

Trey Henefield trey.henefield at ultra-ats.com
Wed Jan 21 00:04:40 AEDT 2015


So I have sorted it out now. It turns out that defining "UsePAM yes" was causing the keyboard-interactive mode to occur. The odd thing was that defining "-o KbdInteractiveAuthentication=no" had no effect, although it did not produce an error either meaning it accepted the parameter provided. In the end, I was able to keep the UsePAM option and remove the keyboard-interactive prompt by explicitly defining the authentication methods with "-o PreferredAuthentications=password".

Best regards,
 

Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: Nico Kadel-Garcia [mailto:nkadel at gmail.com] 
Sent: Friday, January 16, 2015 12:22 AM
To: Trey Henefield
Cc: keisial at gmail.com; dkg at fifthhorseman.net; openssh-unix-dev at mindrot.org
Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

On Thu, Jan 15, 2015 at 5:54 PM, Trey Henefield <trey.henefield at ultra-ats.com> wrote:
> Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied.

RHEL 5 is now 2 major releases behind and was released roughly 7 years ago. Time to update, I think, there have been a *lot* of significant security and architecture changes that can affect the toolchain used to build recent versions of OpenSSH.

> I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided.
>
>
> Best regards,
>
>
> Trey Henefield, CISSP
> Senior IAVA Engineer
>
> Ultra Electronics
> Advanced Tactical Systems, Inc.
> 4101 Smith School Road
> Building IV, Suite 100
> Austin, TX 78744 USA
>
> Trey.Henefield at ultra-ats.com
> Tel: +1 512 327 6795 ext. 647
> Fax: +1 512 327 8043
> Mobile: +1 512 541 6450
>
> www.ultra-ats.com
>
> -----Original Message-----
> From: Daniel Kahn Gillmor [dkg at fifthhorseman.net]
> Received: Thursday, 15 Jan 2015, 4:03PM
> To: Trey Henefield [trey.henefield at ultra-ats.com]; Ángel González 
> [keisial at gmail.com]
> CC: openssh-unix-dev at mindrot.org [openssh-unix-dev at mindrot.org]
> Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...
>
> On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:
>> debug3: authmethod_lookup keyboard-interactive
>> debug3: remaining preferred: password
>> debug3: authmethod_is_enabled keyboard-interactive
>> debug1: Next authentication method: keyboard-interactive
>> debug2: userauth_kbdint
>> debug2: we sent a keyboard-interactive packet, wait for reply
>> debug2: input_userauth_info_req
>> debug2: input_userauth_info_req: num_prompts 1
>> Password:
>> debug1: Authentications that can continue: 
>> publickey,password,keyboard-interactive
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup password
>> debug3: remaining preferred:
>> debug3: authmethod_is_enabled password
>> debug1: Next authentication method: password root at 10.10.2.51's 
>> password:
>> debug2: we sent a password packet, wait for reply
>> debug1: Authentications that can continue: 
>> publickey,password,keyboard-interactive
>> debug2: we did not send a packet, disable method
>> debug1: No more authentication methods to try.
>> Permission denied (publickey,password,keyboard-interactive).
>>
>>
>> In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:"
>
> The first prompt is a keyboard-interactive prompt; the second prompt 
> is the password prompt.  please try again with 
> -oKbdInteractiveAuthentication=no
>
> Regards,
>
>         --dkg
>
> PS if possible, you should probably avoid using password 
> authentication for the root account anyway, but that's a sideline to 
> the issue you're seeing here.
>
> Disclaimer
> The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 17:54:25 is confidential and may be legally privileged.
> It is intended solely for use by openssh-unix-dev at mindrot.org and 
> others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list