openssh unix dev - Jan 2015 - OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

So it appears that I am getting a keyboard-interactive prompt and then a
password prompt.

Here is the output of the requested command:

ssh -vvv -o NumberOfPasswordPrompts=1 -t root at 10.10.2.51

OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /cygdrive/c/progra~1/OpenSSH/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.10.2.51 [10.10.2.51] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "10.10.2.51" from file
"/.ssh/kn
own_hosts"
debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at
openssh.com,
ssh-ed25519
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-
sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hel
lman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at
openssh.com,ssh-ed25519,ecdsa-sh
a2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-
sha2-nistp521-cert-v01 at openssh.com,ssh-rsa-cert-v01 at
openssh.com,ssh-dss-cert-v01
@openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at
openssh.com,ecdsa-sha
2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.c
om,aes256-gcm at openssh.com,chacha20-poly1305 at
openssh.com,arcfour256,arcfour128,ae
s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae
l-cbc at lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.c
om,aes256-gcm at openssh.com,chacha20-poly1305 at
openssh.com,arcfour256,arcfour128,ae
s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae
l-cbc at lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at
openssh.com,hmac
-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.co
m,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm
at openss
h.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at
openssh
.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at
openssh.com,hmac
-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.co
m,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm
at openss
h.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at
openssh
.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256 at
libssh.org,diffie-hellman-group-exc
hange-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: setup hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ED25519 17:99:91:c2:9d:f4:9a:6c:b3:ab:50:c5:e8:eb:a3:70

debug3: load_hostkeys: loading entries for host "10.10.2.51" from file
"/.ssh/kn
own_hosts"
debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '10.10.2.51' is known and matches the ED25519 host key.
debug1: Found key in /.ssh/known_hosts:1
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /.ssh/id_rsa (0x0),
debug2: key: /.ssh/id_dsa (0x0),
debug2: key: /.ssh/id_ecdsa (0x0),
debug2: key: /.ssh/id_ed25519 (0x0),
debug3: input_userauth_banner
You are accessing a U.S. Government (USG) Information System (IS) that is provid
ed for USG-authorized use only. By using this IS (which includes any device atta
ched to this IS), you consent to the following conditions:
- The USG routinely intercepts and monitors communications on this IS for purpos
es including, but not limited to, penetration testing, COMSEC monitoring, networ
k operations and defense, personnel misconduct (PM), law enforcement (LE), and c
ounterintelligence (CI) investigations.
- At any time, the USG may inspect and seize data stored on this IS.
- Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used fo
r any USG-authorized purpose.
- This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
- Notwithstanding the above, using this IS does not constitute consent to PM, LE
 or CI investigative searching or monitoring of the content of privileged commun
ications, or work product, related to personal representation or services by att
orneys, psychotherapists, or clergy, and their assistants. Such communications a
nd work product are private and confidential. See User Agreement for details.
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug3: start over, passed a different list publickey,password,keyboard-interact
ive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_rsa: No such file or directory
debug1: Trying private key: /.ssh/id_dsa
debug3: no such identity: /.ssh/id_dsa: No such file or directory
debug1: Trying private key: /.ssh/id_ecdsa
debug3: no such identity: /.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /.ssh/id_ed25519
debug3: no such identity: /.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root at 10.10.2.51's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).


In the above output, the first prompt is "Password:". The second
prompt is "root at 10.10.2.51's password:"


Best regards,
 

Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: ?ngel Gonz?lez [mailto:keisial at gmail.com] 
Sent: Thursday, January 15, 2015 1:28 PM
To: Trey Henefield
Cc: openssh-unix-dev at mindrot.org
Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

On 15/01/15 16:29, Trey Henefield wrote:
> Greetings,
>
> I discovered an issue in the latest version of SSH, where the number of
password prompts are doubled. If I specify 1, I get 2, and so on.
NumberOfPasswordPrompts is a client option. And it is working fine here on
6.7p1:

Running ssh -vvv -o NumberOfPasswordPrompts=1 testmachine, I only get asked for
a password once, then disconnect.

Could you send us the output of such command on your tests?
(there isn't anything specially sensitive there, but feel free to obscure
any data you son't feel comfortable sharing, such as your username, host
name or key ids...)


Note that at the server side, the option is called MaxAuthTries, and works
differently, counting authentication attempts of any
kind.
> For OpenSSH, the server does not specifically constrain the number of 
> pasword authentication attempts. MaxAuthTries (default is 6) is the 
> maximum number of authentication attempts (of any sort) per connection.
-- Ian Morgan last February on "Issue With SSHD Password Guesses"
thread

Disclaimer
The information contained in this communication from trey.henefield at
ultra-ats.com sent at 2015-01-15 15:47:41 is confidential and may be legally
privileged.
It is intended solely for use by openssh-unix-dev at mindrot.org and others
authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are
hereby notified that
any disclosure, copying, distribution or taking action in reliance of the
contents of this information is strictly prohibited and may be unlawful.

On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug1: Authentications that can continue:
publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> root at 10.10.2.51's password:
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue:
publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey,password,keyboard-interactive).
>
>
> In the above output, the first prompt is "Password:". The second
prompt is "root at 10.10.2.51's password:"
The first prompt is a keyboard-interactive prompt; the second prompt is
the password prompt.  please try again with
-oKbdInteractiveAuthentication=no

Regards,

        --dkg

PS if possible, you should probably avoid using password authentication
for the root account anyway, but that's a sideline to the issue you're
seeing here.

Yes, I have tried that option with no difference in behavior. It seems it
ignores that option when provided. Just for reference, I am building it on
RedHat 5. I have never had this issue on any previous version of OpenSSH. I use
the default configuration with only the changes specified in the RHEL 5 STIG
applied.

I appreciate the security advice. The root account was indicated simply as an
anonymous indicator. I do have PermitRootLogin=no applied. But this same issue
is present regardless of the account provided.


Best regards,


Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: Daniel Kahn Gillmor [dkg at fifthhorseman.net]
Received: Thursday, 15 Jan 2015, 4:03PM
To: Trey Henefield [trey.henefield at ultra-ats.com]; ?ngel Gonz?lez [keisial at
gmail.com]
CC: openssh-unix-dev at mindrot.org [openssh-unix-dev at mindrot.org]
Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ...

On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug1: Authentications that can continue:
publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> root at 10.10.2.51's password:
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue:
publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey,password,keyboard-interactive).
>
>
> In the above output, the first prompt is "Password:". The second
prompt is "root at 10.10.2.51's password:"
The first prompt is a keyboard-interactive prompt; the second prompt is
the password prompt.  please try again with
-oKbdInteractiveAuthentication=no

Regards,

        --dkg

PS if possible, you should probably avoid using password authentication
for the root account anyway, but that's a sideline to the issue you're
seeing here.

Disclaimer
The information contained in this communication from trey.henefield at
ultra-ats.com sent at 2015-01-15 17:54:25 is confidential and may be legally
privileged.
It is intended solely for use by openssh-unix-dev at mindrot.org and others
authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are
hereby notified that
any disclosure, copying, distribution or taking action in reliance of the
contents of this information is strictly prohibited and may be unlawful.