bugzilla-daemon at mindrot.org
2014-Mar-14 23:31 UTC
[Bug 2211] New: Too many hostbased authentication attempts
https://bugzilla.mindrot.org/show_bug.cgi?id=2211 Bug ID: 2211 Summary: Too many hostbased authentication attempts Product: Portable OpenSSH Version: 6.5p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: imorgan at nas.nasa.gov With the addition of support for host keys using ECDSA and ed25519, the number of authentication attempts used by hostbased authentication has also increased. This can make authentication problematic in cases where hostbased authentication is enabled on both the client and server, but misconfiguration causes all hostbased authentication attempts to fail. Since hostbased authentication typically requires updating two (or three) files on the server side, in addition to the sshd_config, it is not unusual for there to be configuration issues when allowing a new client to use hostbased authentication. For example, the client hostname may be mistyped in /etc/shosts.equiv. Complications can also arise if the client system has multiple network interfaces, each with distinct names in DNS; e.g. foo-ge, foo-xge. The client will attempt to authenticate with each host key until it succeeds, all host keys have been tried, or the number of allowed authentication attempts have been exhausted. Thus, four out of the default six authentication attempts can be used by hostbased authentication before the user has a chance to attempt public-key or password authentication. This situation can be made even worse if a host certificate is also available. It would be helpful if there was a mechanism to limit the number of authentication attempts used by hostbassed authentication, so that a reasonable number still remain for other authentication methods if hostbased authentication fails. A simple solution would be to add support for an ssh_config(5) option to limit the number of attempts, such as HostbasedMaxTries or MaxHostbasedAuthTries. A more flexible (although more complicated to implement) solution would be to provide a means of specifying the keys or key types to try; e.g. HostbasedKeyTypes ecdsa,ssh-rsa. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Jan-10 01:13 UTC
[Bug 2211] Too many hostbased authentication attempts
https://bugzilla.mindrot.org/show_bug.cgi?id=2211 --- Comment #1 from Iain Morgan <imorgan at nas.nasa.gov> --- Would it be possible to have sshd disable hostbased authcation if auth_rhosts2() fails? That would catch the majority of cases where repeated hostbased auth attempts with different keys is pointless. In other words, if auth_rhosts2() fails, it will fail for all key types, so there is really no point in letting the client make further attempts using that authentication method. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Jan-20 23:00 UTC
[Bug 2211] Too many hostbased authentication attempts
https://bugzilla.mindrot.org/show_bug.cgi?id=2211 --- Comment #2 from Iain Morgan <imorgan at nas.nasa.gov> --- Created attachment 2529 --> https://bugzilla.mindrot.org/attachment.cgi?id=2529&action=edit Add HostbasedKeyTypes to ssh(1) Add support for a HostbasedKeyTypes client option, inspired by and largely based upon HostbasedAcceptedKeyTypes. This allows the administrator (or user) to select a subset of the supported key types for use with hostbased authentication. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Jan-26 21:50 UTC
[Bug 2211] Too many hostbased authentication attempts
https://bugzilla.mindrot.org/show_bug.cgi?id=2211 Iain Morgan <imorgan at nas.nasa.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2529|0 |1 is obsolete| | --- Comment #3 from Iain Morgan <imorgan at nas.nasa.gov> --- Created attachment 2532 --> https://bugzilla.mindrot.org/attachment.cgi?id=2532&action=edit Add HostbasedKeyTypes to scp.1 and sftp.1 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Jan-30 08:59 UTC
[Bug 2211] Too many hostbased authentication attempts
https://bugzilla.mindrot.org/show_bug.cgi?id=2211 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2532|0 |1 is obsolete| | Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org Status|NEW |ASSIGNED CC| |djm at mindrot.org --- Comment #4 from Damien Miller <djm at mindrot.org> --- Created attachment 2539 --> https://bugzilla.mindrot.org/attachment.cgi?id=2539&action=edit make HostbasedKeyTypes control order as well as select types sent Most of the other options to control protocol methods specify the ordering they are offered or attempted as well as selecting which are available. I've modified your patch to control the order too. It's a little more complex, but works OK against my test server. It also updates userauth_hostbased and ssh_keysign to the new post-refactor API. (patch is against OpenBSD -current) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Jan-30 08:59 UTC
[Bug 2211] Too many hostbased authentication attempts
https://bugzilla.mindrot.org/show_bug.cgi?id=2211 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2266 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Jan-30 11:44 UTC
[Bug 2211] Too many hostbased authentication attempts
https://bugzilla.mindrot.org/show_bug.cgi?id=2211 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #5 from Damien Miller <djm at mindrot.org> --- patch applied - will be in OpenSSH-6.8. Thanks! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Mar-18 07:17 UTC
[Bug 2211] Too many hostbased authentication attempts
https://bugzilla.mindrot.org/show_bug.cgi?id=2211 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- openssh-6.8 is released -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.