We use OpenSSH 3.5p1 on an embedded system. OpenSSH is configured to not permit password logins, /etc/ssh/sshd_config: ... PasswordAuthentication no ... At the same time, since there is no console and no way to "log in" other than by ssh, /etc/passwd has an "open" root account: root::0:0:root:/root:/bin/sh nobody:x:65534:65534:nobody:/tmp:/usr/bin/bash Apparently OpenSSH3.5p1 ignores "PasswordAuthentication no" whenever sombody comes from a root account on some_host: ----------------------------------------------------------------- root at somehost:~# ssh -2 -v <some ip-number> OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to <some ip-number> [<some ip-number>] port 22. debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9.9p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 113/256 debug1: bits set: 1613/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '<some ip-number>' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:43 debug1: bits set: 1597/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: ssh-userauth2 successful: method none debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 32768 Last login: Tue Jan 7 03:20:25 2003 from <someother_host> bash# --------------------------------------------------------------- Bang, I'm in with: "ssh-userauth2 successful: method none". No keys necessary. The same does NOT work with ssh -1 ... --------------------------------------------------------------- root at somehost:~# ssh -1 -v root@<some ip-number> OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to <some ip-number> [<some ip-number>] port 22. debug1: Connection established. debug1: identity file /root/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.5.2p2 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'some ip-number' is known and matches the RSA1 host key. debug1: Found key in /root/.ssh/known_hosts:2 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication with key 'root at somehost' debug1: Server refused our key. Permission denied. debug1: Calling cleanup 0x8061610(0x0) -------------------------------------------------------------- If /etc/passwd has the root account x-ed out: root:x:0:0:root:/root:/bin/sh ssh -2 also rejects the connection. Am I right to consider this a bug and a potential security problem, since protocol version 1 seems to behave as expected, while version 2 appears to look at the password file despite "PasswordAuthentication no" in the config file ? Or am I just missing something important ? I'm not a regular subscriber, I'd appreciate comments to rosenberger at pgc.nrcan.gc.ca or andreas at arescon.com -- ___________________________________________________________________ a. rosenberger arescon ltd. andreas at arescon.com 9706 First St. www.arescon.com Sidney, B.C. Canada V8L 3C7 ___________________________________________________________________