Re: SSH permits root-Logins with wrong password
On Wed, Jun 16, 2004 at 05:43:32PM +0200, Frank Niedermann wrote: snip If I try to use 'x' as wrong password, ssh won't let me in: [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). Just as I would expect it. If I use a longer or similar password as the real root password, ssh will let me log in, example: real root password = linux4me - success :) fake root password = fun4linux - success! :( The ssh package version: ii ssh 3.8p1-3 Secure rlogin/rsh/rcp replacement (OpenSSH) Any idea about that behavor? Do you have public keys installed on that server? If you have a key with one password which is different from root's password on that machine, it can explain this behavior. HTH. -- Hamilton Coutinho | panic(Aarggh: attempting to free lock with [EMAIL PROTECTED] | active wait queue - shoot Andy); Porto Alegre - RS - Brasil |2.0.38 /usr/src/linux/fs/locks.c -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SSH permits root-Logins with wrong password
Hello, I have a Debian testing server on my network with OpenSSH running. If I try to log in as root but with wrong password I get the following: [EMAIL PROTECTED] deniedfr $ ssh [EMAIL PROTECTED] Password: wrong password here Password: the same wrong password Password: the same wrong password [EMAIL PROTECTED]'s password: the same wrong password Last login: Wed Jun 16 17:03:11 2004 from dettnb80.tt.de.ifm dettlx18:~# uname -a Linux dettlx18 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux dettlx18:~# The /var/log/auth.log: sshd[1335]: (pam_securetty) access denied: tty 'ssh' is not secure ! sshd[1335]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root sshd[1333]: error: PAM: Authentication failure sshd[1336]: (pam_securetty) access denied: tty 'ssh' is not secure ! sshd[1336]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root sshd[1333]: error: PAM: Authentication failure sshd[1337]: (pam_securetty) access denied: tty 'ssh' is not secure ! sshd[1337]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root sshd[1333]: error: PAM: Authentication failure sshd[1333]: Failed keyboard-interactive/pam for root from 172.16.15.80 port 32896 ssh2 sshd[1333]: Accepted password for root from 172.16.15.80 port 32896 ssh2 sshd[1338]: (pam_unix) session opened for user root by root(uid=0) If I try to use 'x' as wrong password, ssh won't let me in: [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). Just as I would expect it. If I use a longer or similar password as the real root password, ssh will let me log in, example: real root password = linux4me - success :) fake root password = fun4linux - success! :( The ssh package version: ii ssh 3.8p1-3 Secure rlogin/rsh/rcp replacement (OpenSSH) Any idea about that behavor? Regards, Frank -- Mail: [EMAIL PROTECTED] XMPP: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH permits root-Logins with wrong password
I tried to duplicate this on a sid box and a sarge box (that hasn't been upgraded for awhile). I couldn't duplicate your results. The sid box has ii ssh3.8.1p1-4 Secure rlogin/rsh/rcp replacement (OpenSSH and the sarge box has ii ssh3.6.1p2-3 Secure rlogin/rsh/rcp replacement (OpenSSH) Sarge box: [EMAIL PROTECTED]:~$ ssh -l root 10.224.112.121 [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied (publickey). [EMAIL PROTECTED]:~$ Sid box: [EMAIL PROTECTED]:~$ ssh -l root 66.122.133.154 Password: Password: Password: [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). [EMAIL PROTECTED]:~$ On Wed, 2004-06-16 at 08:43, Frank Niedermann wrote: Hello, I have a Debian testing server on my network with OpenSSH running. If I try to log in as root but with wrong password I get the following: [EMAIL PROTECTED] deniedfr $ ssh [EMAIL PROTECTED] Password: wrong password here Password: the same wrong password Password: the same wrong password [EMAIL PROTECTED]'s password: the same wrong password Last login: Wed Jun 16 17:03:11 2004 from dettnb80.tt.de.ifm dettlx18:~# uname -a Linux dettlx18 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux dettlx18:~# The /var/log/auth.log: sshd[1335]: (pam_securetty) access denied: tty 'ssh' is not secure ! sshd[1335]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root sshd[1333]: error: PAM: Authentication failure sshd[1336]: (pam_securetty) access denied: tty 'ssh' is not secure ! sshd[1336]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root sshd[1333]: error: PAM: Authentication failure sshd[1337]: (pam_securetty) access denied: tty 'ssh' is not secure ! sshd[1337]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root sshd[1333]: error: PAM: Authentication failure sshd[1333]: Failed keyboard-interactive/pam for root from 172.16.15.80 port 32896 ssh2 sshd[1333]: Accepted password for root from 172.16.15.80 port 32896 ssh2 sshd[1338]: (pam_unix) session opened for user root by root(uid=0) If I try to use 'x' as wrong password, ssh won't let me in: [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). Just as I would expect it. If I use a longer or similar password as the real root password, ssh will let me log in, example: real root password = linux4me - success :) fake root password = fun4linux - success! :( The ssh package version: ii ssh 3.8p1-3 Secure rlogin/rsh/rcp replacement (OpenSSH) Any idea about that behavor? Regards, Frank -- Mail: [EMAIL PROTECTED] XMPP: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH permits root-Logins with wrong password
On Wed, 16 Jun 2004 10:35:33 Patrick Lane [EMAIL PROTECTED] wrote: I have a Debian testing server on my network with OpenSSH running. If I try to log in as root but with wrong password I get access... tried to duplicate this on a sid box and a sarge box (that hasn't been upgraded for awhile). I couldn't duplicate your results. I think my results are so strange because the wrong password contains parts of the right password. As I said, if I try to log in with 'x' as password I get the same results as you described. The sid box has ii ssh3.8.1p1-4 Secure rlogin/rsh/rcp replacement I've done an upgrade to the testing packages today after my posting to the list but ssh still is in version 3.8p1-3 ... I'll update the ssh package to unstable tomorrow at work and hope the problem will be gone but how can we be sure that there is no general issue about this version of sshd? Does it make sense to you to see my sshd-config? Or could this be a misconfigured pam or something like this? Regards, Frank -- Mail: [EMAIL PROTECTED] XMPP: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH permits root-Logins with wrong password
On Wed, 16 Jun 2004, Frank Niedermann wrote: On Wed, 16 Jun 2004 10:35:33 Patrick Lane [EMAIL PROTECTED] wrote: I have a Debian testing server on my network with OpenSSH running. If I try to log in as root but with wrong password I get access... tried to duplicate this on a sid box and a sarge box (that hasn't been upgraded for awhile). I couldn't duplicate your results. I think my results are so strange because the wrong password contains parts of the right password. As I said, if I try to log in with 'x' as password I get the same results as you described. Quick questions: (1) how long is the password?; and (2) is the variation you're trying at the end? some hash techniques limit password length and truncate the string after that point, so if you're changing or appending a character after that point you would get the behavior you describe. -- Andrew J Perrin - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill [EMAIL PROTECTED] * andrew_perrin (at) unc.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH permits root-Logins with wrong password
On 2004-06-16 at 16:02:59, Andrew Perrin wrote: I have a Debian testing server on my network with OpenSSH running. If I try to log in as root but with wrong password I get access... Quick questions: (1) how long is the password?; and (2) is the variation you're trying at the end? (1) password is 8 chars long (2) no it's not, example: correct password: one4two wrong password: three4one some hash techniques limit password length and truncate the string after that point, so if you're changing or appending a character after that point you would get the behavior you describe. this case does not apply with the two passwords used. Regards, Frank -- Mail: [EMAIL PROTECTED] XMPP: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH permits root-Logins with wrong password
I hate to ask, but: have you checked the MD5 sum for sshd? For the PAM library? -- Carl Fink [EMAIL PROTECTED] Jabootu's Minister of Proofreading http://www.jabootu.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]