Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied. I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided. Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield at ultra-ats.com Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com -----Original Message----- From: Daniel Kahn Gillmor [dkg at fifthhorseman.net] Received: Thursday, 15 Jan 2015, 4:03PM To: Trey Henefield [trey.henefield at ultra-ats.com]; ?ngel Gonz?lez [keisial at gmail.com] CC: openssh-unix-dev at mindrot.org [openssh-unix-dev at mindrot.org] Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote:> debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > root at 10.10.2.51's password: > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug1: No more authentication methods to try. > Permission denied (publickey,password,keyboard-interactive). > > > In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:"The first prompt is a keyboard-interactive prompt; the second prompt is the password prompt. please try again with -oKbdInteractiveAuthentication=no Regards, --dkg PS if possible, you should probably avoid using password authentication for the root account anyway, but that's a sideline to the issue you're seeing here. Disclaimer The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 17:54:25 is confidential and may be legally privileged. It is intended solely for use by openssh-unix-dev at mindrot.org and others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
On Thu, Jan 15, 2015 at 5:54 PM, Trey Henefield <trey.henefield at ultra-ats.com> wrote:> Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied.RHEL 5 is now 2 major releases behind and was released roughly 7 years ago. Time to update, I think, there have been a *lot* of significant security and architecture changes that can affect the toolchain used to build recent versions of OpenSSH.> I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided. > > > Best regards, > > > Trey Henefield, CISSP > Senior IAVA Engineer > > Ultra Electronics > Advanced Tactical Systems, Inc. > 4101 Smith School Road > Building IV, Suite 100 > Austin, TX 78744 USA > > Trey.Henefield at ultra-ats.com > Tel: +1 512 327 6795 ext. 647 > Fax: +1 512 327 8043 > Mobile: +1 512 541 6450 > > www.ultra-ats.com > > -----Original Message----- > From: Daniel Kahn Gillmor [dkg at fifthhorseman.net] > Received: Thursday, 15 Jan 2015, 4:03PM > To: Trey Henefield [trey.henefield at ultra-ats.com]; ?ngel Gonz?lez [keisial at gmail.com] > CC: openssh-unix-dev at mindrot.org [openssh-unix-dev at mindrot.org] > Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... > > On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote: >> debug3: authmethod_lookup keyboard-interactive >> debug3: remaining preferred: password >> debug3: authmethod_is_enabled keyboard-interactive >> debug1: Next authentication method: keyboard-interactive >> debug2: userauth_kbdint >> debug2: we sent a keyboard-interactive packet, wait for reply >> debug2: input_userauth_info_req >> debug2: input_userauth_info_req: num_prompts 1 >> Password: >> debug1: Authentications that can continue: publickey,password,keyboard-interactive >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup password >> debug3: remaining preferred: >> debug3: authmethod_is_enabled password >> debug1: Next authentication method: password >> root at 10.10.2.51's password: >> debug2: we sent a password packet, wait for reply >> debug1: Authentications that can continue: publickey,password,keyboard-interactive >> debug2: we did not send a packet, disable method >> debug1: No more authentication methods to try. >> Permission denied (publickey,password,keyboard-interactive). >> >> >> In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:" > > The first prompt is a keyboard-interactive prompt; the second prompt is > the password prompt. please try again with > -oKbdInteractiveAuthentication=no > > Regards, > > --dkg > > PS if possible, you should probably avoid using password authentication > for the root account anyway, but that's a sideline to the issue you're > seeing here. > > Disclaimer > The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 17:54:25 is confidential and may be legally privileged. > It is intended solely for use by openssh-unix-dev at mindrot.org and others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that > any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
2015-01-16 7:21 GMT+01:00 Nico Kadel-Garcia <nkadel at gmail.com>:> RHEL 5 is now 2 major releases behind and was released roughly 7 years > ago. Time to update, I think, there have been a *lot* of significant > security and architecture changes that can affect the toolchain used > to build recent versions of OpenSSH.5.11 was release last September. :-) But: When you pay for RHEL, you should use the RH packages. Best Martin
So I have sorted it out now. It turns out that defining "UsePAM yes" was causing the keyboard-interactive mode to occur. The odd thing was that defining "-o KbdInteractiveAuthentication=no" had no effect, although it did not produce an error either meaning it accepted the parameter provided. In the end, I was able to keep the UsePAM option and remove the keyboard-interactive prompt by explicitly defining the authentication methods with "-o PreferredAuthentications=password". Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield at ultra-ats.com Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com -----Original Message----- From: Nico Kadel-Garcia [mailto:nkadel at gmail.com] Sent: Friday, January 16, 2015 12:22 AM To: Trey Henefield Cc: keisial at gmail.com; dkg at fifthhorseman.net; openssh-unix-dev at mindrot.org Subject: Re: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... On Thu, Jan 15, 2015 at 5:54 PM, Trey Henefield <trey.henefield at ultra-ats.com> wrote:> Yes, I have tried that option with no difference in behavior. It seems it ignores that option when provided. Just for reference, I am building it on RedHat 5. I have never had this issue on any previous version of OpenSSH. I use the default configuration with only the changes specified in the RHEL 5 STIG applied.RHEL 5 is now 2 major releases behind and was released roughly 7 years ago. Time to update, I think, there have been a *lot* of significant security and architecture changes that can affect the toolchain used to build recent versions of OpenSSH.> I appreciate the security advice. The root account was indicated simply as an anonymous indicator. I do have PermitRootLogin=no applied. But this same issue is present regardless of the account provided. > > > Best regards, > > > Trey Henefield, CISSP > Senior IAVA Engineer > > Ultra Electronics > Advanced Tactical Systems, Inc. > 4101 Smith School Road > Building IV, Suite 100 > Austin, TX 78744 USA > > Trey.Henefield at ultra-ats.com > Tel: +1 512 327 6795 ext. 647 > Fax: +1 512 327 8043 > Mobile: +1 512 541 6450 > > www.ultra-ats.com > > -----Original Message----- > From: Daniel Kahn Gillmor [dkg at fifthhorseman.net] > Received: Thursday, 15 Jan 2015, 4:03PM > To: Trey Henefield [trey.henefield at ultra-ats.com]; ?ngel Gonz?lez > [keisial at gmail.com] > CC: openssh-unix-dev at mindrot.org [openssh-unix-dev at mindrot.org] > Subject: RE: OpenSSH v6.7 & NumberOfPasswordPrompts Option ... > > On Thu 2015-01-15 15:47:33 -0500, Trey Henefield wrote: >> debug3: authmethod_lookup keyboard-interactive >> debug3: remaining preferred: password >> debug3: authmethod_is_enabled keyboard-interactive >> debug1: Next authentication method: keyboard-interactive >> debug2: userauth_kbdint >> debug2: we sent a keyboard-interactive packet, wait for reply >> debug2: input_userauth_info_req >> debug2: input_userauth_info_req: num_prompts 1 >> Password: >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup password >> debug3: remaining preferred: >> debug3: authmethod_is_enabled password >> debug1: Next authentication method: password root at 10.10.2.51's >> password: >> debug2: we sent a password packet, wait for reply >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug2: we did not send a packet, disable method >> debug1: No more authentication methods to try. >> Permission denied (publickey,password,keyboard-interactive). >> >> >> In the above output, the first prompt is "Password:". The second prompt is "root at 10.10.2.51's password:" > > The first prompt is a keyboard-interactive prompt; the second prompt > is the password prompt. please try again with > -oKbdInteractiveAuthentication=no > > Regards, > > --dkg > > PS if possible, you should probably avoid using password > authentication for the root account anyway, but that's a sideline to > the issue you're seeing here. > > Disclaimer > The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-01-15 17:54:25 is confidential and may be legally privileged. > It is intended solely for use by openssh-unix-dev at mindrot.org and > others authorized to receive it. If you are not openssh-unix-dev at mindrot.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev