So it appears that I am getting a keyboard-interactive prompt and then a password prompt. Here is the output of the requested command: ssh -vvv -o NumberOfPasswordPrompts=1 -t root at 10.10.2.51 OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /cygdrive/c/progra~1/OpenSSH/etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 10.10.2.51 [10.10.2.51] port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7 debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "10.10.2.51" from file "/.ssh/kn own_hosts" debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com, ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh- sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hel lman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519,ecdsa-sh a2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa- sha2-nistp521-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 @openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha 2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.c om,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,arcfour256,arcfour128,ae s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae l-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.c om,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,arcfour256,arcfour128,ae s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae l-cbc at lysator.liu.se debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac -sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.co m,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 ,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openss h.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh .com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac -sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.co m,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 ,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openss h.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh .com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,diffie-hellman-group-exc hange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-sha1 debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: mac_setup: setup hmac-sha1 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 17:99:91:c2:9d:f4:9a:6c:b3:ab:50:c5:e8:eb:a3:70 debug3: load_hostkeys: loading entries for host "10.10.2.51" from file "/.ssh/kn own_hosts" debug3: load_hostkeys: found key type ED25519 in file /.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug1: Host '10.10.2.51' is known and matches the ED25519 host key. debug1: Found key in /.ssh/known_hosts:1 debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /.ssh/id_rsa (0x0), debug2: key: /.ssh/id_dsa (0x0), debug2: key: /.ssh/id_ecdsa (0x0), debug2: key: /.ssh/id_ed25519 (0x0), debug3: input_userauth_banner You are accessing a U.S. Government (USG) Information System (IS) that is provid ed for USG-authorized use only. By using this IS (which includes any device atta ched to this IS), you consent to the following conditions: - The USG routinely intercepts and monitors communications on this IS for purpos es including, but not limited to, penetration testing, COMSEC monitoring, networ k operations and defense, personnel misconduct (PM), law enforcement (LE), and c ounterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used fo r any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged commun ications, or work product, related to personal representation or services by att orneys, psychotherapists, or clergy, and their assistants. Such communications a nd work product are private and confidential. See User Agreement for details. debug1: Authentications that can continue: publickey,password,keyboard-interacti ve debug3: start over, passed a different list publickey,password,keyboard-interact ive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/id_rsa debug3: no such identity: /.ssh/id_rsa: No such file or directory debug1: Trying private key: /.ssh/id_dsa debug3: no such identity: /.ssh/id_dsa: No such file or directory debug1: Trying private key: /.ssh/id_ecdsa debug3: no such identity: /.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /.ssh/id_ed25519 debug3: no such identity: /.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password root at 10.10.2.51's password: debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,password,keyboard-interactive). In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:" Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield at ultra-ats.com Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com -----Original Message----- From: ?ngel Gonz?lez [mailto:keisial at gmail.com] Sent: Thursday, January 15, 2015 1:28 PM To: Trey Henefield Cc: openssh-unix-dev at mindrot.org Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... On 15/01/15 16:29, Trey Henefield wrote:> Greetings, > > I discovered an issue in the latest version of SSH, where the number of password prompts are doubled. If I specify 1, I get 2, and so on.NumberOfPasswordPrompts is a client option. And it is working fine here on 6.7p1: Running ssh -vvv -o NumberOfPasswordPrompts=1 testmachine, I only get asked for a password once, then disconnect. Could you send us the output of such command on your tests? (there isn't anything specially sensitive there, but feel free to obscure any data you son't feel comfortable sharing, such as your username, host name or key ids...) Note that at the server side, the option is called MaxAuthTries, and works differently, counting authentication attempts of any kind.> For OpenSSH, the server does not specifically constrain the number of > pasword authentication attempts. MaxAuthTries (default is 6) is the > maximum number of authentication attempts (of any sort) per connection.-- Ian Morgan last February on "Issue With SSHD Password Guesses" thread Disclaimer The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 15:47:41 is confidential and may be legally privileged. It is intended solely for use by openssh-unix-dev at mindrot.org and others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
Daniel Kahn Gillmor
2015-Jan-15 21:57 UTC
OpenSSH v6.7 & NumberOfPasswordPrompts Option ...
On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:> debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > root at 10.10.2.51's password: > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug1: No more authentication methods to try. > Permission denied (publickey,password,keyboard-interactive). > > > In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:"The first prompt is a keyboard-interactive prompt; the second prompt is the password prompt. please try again with -oKbdInteractiveAuthentication=no Regards, --dkg PS if possible, you should probably avoid using password authentication for the root account anyway, but that's a sideline to the issue you're seeing here.
Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied. I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided. Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield at ultra-ats.com Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com -----Original Message----- From: Daniel Kahn Gillmor [dkg at fifthhorseman.net] Received: Thursday, 15 Jan 2015, 4:03PM To: Trey Henefield [trey.henefield at ultra-ats.com]; ?ngel Gonz?lez [keisial at gmail.com] CC: openssh-unix-dev at mindrot.org [openssh-unix-dev at mindrot.org] Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:> debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > root at 10.10.2.51's password: > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug1: No more authentication methods to try. > Permission denied (publickey,password,keyboard-interactive). > > > In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:"The first prompt is a keyboard-interactive prompt; the second prompt is the password prompt. please try again with -oKbdInteractiveAuthentication=no Regards, --dkg PS if possible, you should probably avoid using password authentication for the root account anyway, but that's a sideline to the issue you're seeing here. Disclaimer The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 17:54:25 is confidential and may be legally privileged. It is intended solely for use by openssh-unix-dev at mindrot.org and others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
Apparently Analagous Threads
- OpenSSH v6.7 & NumberOfPasswordPrompts Option ...
- OpenSSH v6.7 & NumberOfPasswordPrompts Option ...
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- Problems using sftp on HMC IBM system