openssh bugs - Mar 2014 - [Bug 2211] New: Too many hostbased authentication attempts

https://bugzilla.mindrot.org/show_bug.cgi?id=2211

            Bug ID: 2211
           Summary: Too many hostbased authentication attempts
           Product: Portable OpenSSH
           Version: 6.5p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: imorgan at nas.nasa.gov

With the addition of support for host keys using ECDSA and ed25519, the
number of authentication attempts used by hostbased authentication has
also increased. This can make authentication problematic in cases where
hostbased authentication is enabled on both the client and server, but
misconfiguration causes all hostbased authentication attempts to fail.

Since hostbased authentication typically requires updating two (or
three) files on the server side, in addition to the sshd_config, it is
not unusual for there to be configuration issues when allowing a new
client to use hostbased authentication. For example, the client
hostname
may be mistyped in /etc/shosts.equiv. Complications can also arise if
the client system has multiple network interfaces, each with distinct
names in DNS; e.g. foo-ge, foo-xge.

The client will attempt to authenticate with each host key until it
succeeds, all host keys have been tried, or the number of allowed
authentication attempts have been exhausted. Thus, four out of the
default six authentication attempts can be used by hostbased
authentication before the user has a chance to attempt public-key or
password authentication. This situation can be made even worse if a
host
certificate is also available.

It would be helpful if there was a mechanism to limit the number of
authentication attempts used by hostbassed authentication, so that a
reasonable number still remain for other authentication methods if
hostbased authentication fails.

A simple solution would be to add support for an ssh_config(5) option
to
limit the number of attempts, such as HostbasedMaxTries or
MaxHostbasedAuthTries. A more flexible (although more complicated to
implement) solution would be to provide a means of specifying the keys
or key types to try; e.g. HostbasedKeyTypes ecdsa,ssh-rsa.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2211

--- Comment #1 from Iain Morgan <imorgan at nas.nasa.gov> ---
Would it be possible to have sshd disable hostbased authcation if
auth_rhosts2() fails? That would catch the majority of cases where
repeated hostbased auth attempts with different keys is pointless.

In other words, if auth_rhosts2() fails, it will fail for all key
types,
so there is really no point in letting the client make further attempts
using that authentication method.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2211

--- Comment #2 from Iain Morgan <imorgan at nas.nasa.gov> ---
Created attachment 2529
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2529&action=edit
Add HostbasedKeyTypes to ssh(1)

Add support for a HostbasedKeyTypes client option, inspired by and
largely based upon HostbasedAcceptedKeyTypes. This allows the
administrator (or user) to select a subset of the supported key types
for use with hostbased authentication.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2211

Iain Morgan <imorgan at nas.nasa.gov> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2529|0                           |1
        is obsolete|                            |

--- Comment #3 from Iain Morgan <imorgan at nas.nasa.gov> ---
Created attachment 2532
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2532&action=edit
Add HostbasedKeyTypes to scp.1 and sftp.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2211

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2532|0                           |1
        is obsolete|                            |
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
             Status|NEW                         |ASSIGNED
                 CC|                            |djm at mindrot.org

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 2539
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2539&action=edit
make HostbasedKeyTypes control order as well as select types sent

Most of the other options to control protocol methods specify the
ordering they are offered or attempted as well as selecting which are
available.

I've modified your patch to control the order too. It's a little more
complex, but works OK against my test server. It also updates
userauth_hostbased and ssh_keysign to the new post-refactor API.

(patch is against OpenBSD -current)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2211

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2266

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2211

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
patch applied - will be in OpenSSH-6.8. Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2211

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
openssh-6.8 is released

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.