Quantcast

OpenSSH logging and MaxAuthTries

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OpenSSH logging and MaxAuthTries

Lars Noodén
Looking at a recent snapshot, see dmesg at the bottom, I have two
questions about OpenSSH logging.

1) The entry in sshd_config(5) for MaxAuthTries states the following
about log entries:

             ...  Once the number of failures reaches half this
             value, additional failures are logged.  The default is 6.

Yet the logging of failures seems to occur these days from the very first try.
Has this behavior changed?

2) The client gets disconnected before MaxAuthTries is reached.  If I
have it set to 6, I get 5 only tries:

$ ssh -o "NumberOfPasswordPrompts=7" fred@192.0.2.105
fred@192.0.2.105's password:
Permission denied, please try again.
fred@192.0.2.105's password:
Permission denied, please try again.
fred@192.0.2.105's password:
Permission denied, please try again.
fred@192.0.2.105's password:
Permission denied, please try again.
fred@192.0.2.105's password:
Received disconnect from 192.0.2.105: 2: Too many authentication failures

From the server:

# /usr/sbin/sshd -T | grep maxauthtries
maxauthtries 6

# grep 4704 /var/log/authlog
Mar 19 14:24:26 server sshd[4704]: Failed password for fred from
192.0.2.206 port 55295 ssh2
Mar 19 14:24:36 server sshd[4704]: Failed password for fred from
192.0.2.206 port 55295 ssh2
Mar 19 14:24:40 server sshd[4704]: Failed password for fred from
192.0.2.206 port 55295 ssh2
Mar 19 14:24:43 server sshd[4704]: Failed password for fred from
192.0.2.206 port 55295 ssh2
Mar 19 14:24:49 server sshd[4704]: Failed password for fred from
192.0.2.206 port 55295 ssh2
Mar 19 14:24:49 server sshd[4704]: error: maximum authentication
attempts exceeded for fred from 192.0.2.206 port 55295 ssh2 [preauth]
Mar 19 14:24:49 server sshd[4704]: Disconnecting authenticating user
fred 192.0.2.206 port 55295: Too many authentication failures
[preauth]

If I set the client's NumberOfPasswordPrompts to a lower number than
sshd(8)'s MaxAuthTries, that works as expected and I get the number of
tries specified by the client.  If set the client's
NumberOfPasswordPrompts to number greater than or equal to sshd(8)'s
MaxAuthTries, I get only one less than what was set in MaxAuthTries
instead of the full sequence.  Is there any way to get the full number
of MaxAuthTries log in attempts?

Regards,
Lars

[ using 595272 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.  https://www.OpenBSD.org

OpenBSD 6.1-beta (GENERIC) #83: Sat Mar 18 01:48:53 MDT 2017
    [hidden email]:/usr/src/sys/arch/loongson/compile/GENERIC
real mem = 1073741824 (1024MB)
avail mem = 1057243136 (1008MB)
mainbus0 at root: Lemote Yeeloong
cpu0 at mainbus0: STC Loongson2F CPU 797 MHz, STC Loongson2F FPU
cpu0: cache L1-I 64KB D 64KB 4 way, L2 512KB 4 way
bonito0 at mainbus0: memory and PCI-X controller, rev 1
pci0 at bonito0 bus 0
rl0 at pci0 dev 7 function 0 "Realtek 8139" rev 0x10: irq 5, address
00:23:8b:59:df:48
rlphy0 at rl0 phy 0: RTL internal PHY
smfb0 at pci0 dev 8 function 0 "Silicon Motion LynxEM+" rev 0xb0:
1024x600, 16bpp
wsdisplay0 at smfb0 mux 1: console (std, vt100 emulation)
glxpcib0 at pci0 dev 14 function 0 "AMD CS5536 ISA" rev 0x03: rev 3,
32-bit 3579545Hz timer, watchdog, gpio, i2c
isa0 at glxpcib0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
mcclock0 at isa0 port 0x70/2: mc146818 or compatible
ykbec0 at isa0 port 0x381/3
gpio1 at glxpcib0: 32 pins
iic at glxpcib0 not configured
glxclk0 at glxpcib0: clock, prof
pciide0 at pci0 dev 14 function 2 "AMD CS5536 IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFX3-008G>
wd0: 1-sector PIO, LBA, 7641MB, 15649200 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
auglx0 at pci0 dev 14 function 3 "AMD CS5536 Audio" rev 0x01: isa irq
9, CS5536 AC97
ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0)
audio0 at auglx0
ohci0 at pci0 dev 14 function 4 "AMD CS5536 USB" rev 0x02: isa irq 11,
version 1.0, legacy support
ehci0 at pci0 dev 14 function 5 "AMD CS5536 USB" rev 0x02: isa irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev
2.00/1.00 addr 1
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev
1.00/1.00 addr 1
apm0 at mainbus0
umass0 at uhub0 port 1 configuration 1 interface 0 "Generic
USB2.0-CRW" rev 2.00/58.87 addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0: <Generic-, Multi-Card, 1.00> SCSI0
0/direct removable serial.0bda0158114173400000
urtw0 at uhub0 port 4 configuration 1 interface 0 "Realtek RTL8187B"
rev 2.00/2.00 addr 3
urtw0: RTL8187B rev E, address 00:17:c4:4d:ed:56
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
pmon bootpath: /dev/disk/wd0
boot device: wd0
root on wd0a (5e05878d9ed345f0.a) swap on wd0b dump on wd0b

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSH logging and MaxAuthTries

Darren Tucker
On Sun, Mar 19, 2017 at 11:47 PM, Lars Noodén <[hidden email]> wrote:

> Looking at a recent snapshot, see dmesg at the bottom, I have two
> questions about OpenSSH logging.
>
> 1) The entry in sshd_config(5) for MaxAuthTries states the following
> about log entries:
>
>              ...  Once the number of failures reaches half this
>              value, additional failures are logged.  The default is 6.
>
> Yet the logging of failures seems to occur these days from the very first
try.
> Has this behavior changed?

No, but it's always logged password attempts regardless of whether or
not you've got to MaxAuthTries/2:

$ cvs annotate auth.c | grep -C2 max_auth
Annotations for auth.c
***************
1.13         (markus   18-Jan-01):      if (authenticated == 1 ||
1.13         (markus   18-Jan-01):          !authctxt->valid ||
1.54         (dtucker  23-May-04):          authctxt->failures >=
options.max_authtries / 2 ||
1.13         (markus   18-Jan-01):          strcmp(method, "password") == 0)
1.47         (itojun   08-Apr-03):              authlog = logit;


> 2) The client gets disconnected before MaxAuthTries is reached.  If I
> have it set to 6, I get 5 only tries:

Your log level isn't high enough to see it, but I suspect you have a
failed pubkey attempt before the password attempts.  You should be
able to see it if you add "-vvv" to the command line.

[...]
> Is there any way to get the full number of MaxAuthTries log in attempts?

Assuming my guess above is correct, PreferredAuthentications=password

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSH logging and MaxAuthTries

Lars Noodén
>> 2) The client gets disconnected before MaxAuthTries is reached.  If I
>> have it set to 6, I get 5 only tries:
>
> Your log level isn't high enough to see it, but I suspect you have a
> failed pubkey attempt before the password attempts.  You should be
> able to see it if you add "-vvv" to the command line.




$  ssh-add -l
The agent has no identities.


debug1: userauth-request for user fred service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: userauth-request for user fred service ssh-connection method
keyboard-interactive [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=fred devs= [preauth]
debug1: kbdint_alloc: devices 'bsdauth' [preauth]
debug1: auth2_challenge_start: trying authentication method 'bsdauth' [preauth]
debug1: userauth-request for user fred service ssh-connection method
password [preauth]
debug1: attempt 2 failures 1 [preauth]
Failed password for fred from 192.0.2.246 port 57386 ssh2
debug1: userauth-request for user fred service ssh-connection method
password [preauth]


> [...]
>> Is there any way to get the full number of MaxAuthTries log in attempts?
>
> Assuming my guess above is correct, PreferredAuthentications=password
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSH logging and MaxAuthTries

Lars Noodén
Sorry. That previous message got mangled.

> $  ssh-add -l
> The agent has no identities.

On the server it looks like it says the client is asking for
'keyboard-interactive' first of all things:

> debug1: userauth-request for user fred service ssh-connection method
> none [preauth]
> debug1: attempt 0 failures 0 [preauth]
> debug1: userauth-request for user fred service ssh-connection method
> keyboard-interactive [preauth]
> debug1: attempt 1 failures 0 [preauth]
> debug1: keyboard-interactive devs  [preauth]
> debug1: auth2_challenge: user=fred devs= [preauth]
> debug1: kbdint_alloc: devices 'bsdauth' [preauth]
> debug1: auth2_challenge_start: trying authentication method 'bsdauth'
> [preauth]
> debug1: userauth-request for user fred service ssh-connection method
> password [preauth]
> debug1: attempt 2 failures 1 [preauth]
> Failed password for fred from 192.0.2.246 port 57386 ssh2
> debug1: userauth-request for user fred service ssh-connection method
> password [preauth]
>
>
>> [...]
>>> Is there any way to get the full number of MaxAuthTries log in attempts?
>>
>> Assuming my guess above is correct, PreferredAuthentications=password

Yes, thanks, PreferredAuthentications=password does answer the question.
Looking at the -vvv output from the SSH client, it also looks like it
was because of the keyboard-interactive:

...
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/fred/.ssh/id_rsa
debug3: no such identity: /home/fred/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/fred/.ssh/id_dsa
debug3: no such identity: /home/fred/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/fred/.ssh/id_ecdsa
debug3: no such identity: /home/fred/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/fred/.ssh/id_ed25519
debug3: no such identity: /home/fred/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
...

So, yes, that does allow the maximum number of log-ins.

Thanks.

Regards,
Lars

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenSSH logging and MaxAuthTries

Lars Noodén
In reply to this post by Darren Tucker
On 3/20/17, Darren Tucker :

> On Sun, Mar 19, 2017 at 11:47 PM, Lars Noodén wrote:
>> Looking at a recent snapshot, see dmesg at the bottom, I have two
>> questions about OpenSSH logging.
>>
>> 1) The entry in sshd_config(5) for MaxAuthTries states the following
>> about log entries:
>>
>>              ...  Once the number of failures reaches half this
>>              value, additional failures are logged.  The default is 6.
>>
>> Yet the logging of failures seems to occur these days from the very first
>> try.
>> Has this behavior changed?
>
> No, but it's always logged password attempts regardless of whether or
> not you've got to MaxAuthTries/2:
>
> $ cvs annotate auth.c | grep -C2 max_auth
> Annotations for auth.c
> ***************
> 1.13         (markus   18-Jan-01):      if (authenticated == 1 ||
> 1.13         (markus   18-Jan-01):          !authctxt->valid ||
> 1.54         (dtucker  23-May-04):          authctxt->failures >=
> options.max_authtries / 2 ||
> 1.13         (markus   18-Jan-01):          strcmp(method, "password") ==
> 0)
> 1.47         (itojun   08-Apr-03):              authlog = logit;

Would the following change help?

Regards,
Lars

Index: sshd_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.237
diff -u -p -u -p -r1.237 sshd_config.5
--- sshd_config.5       7 Oct 2016 14:41:52 -0000       1.237
+++ sshd_config.5       20 Mar 2017 06:10:07 -0000
@@ -1080,8 +1080,7 @@ and
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.
-Once the number of failures reaches half this value,
-additional failures are logged.
+All failures are logged.
 The default is 6.
 .It Cm MaxSessions
 Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
cvs server: Diffing lib
cvs server: Diffing moduli-gen
cvs server: Diffing scp
cvs server: Diffing sftp
cvs server: Diffing sftp-server
cvs server: Diffing ssh
cvs server: Diffing ssh-add
cvs server: Diffing ssh-agent
cvs server: Diffing ssh-keygen
cvs server: Diffing ssh-keyscan
cvs server: Diffing ssh-keysign
cvs server: Diffing ssh-pkcs11-helper
cvs server: Diffing sshd

Loading...