C. Linus Hicks wrote:
Since I have PasswordAuthentication turned off, I was under the
impression that a brute force password attack on my system was not
possible. That is, it would not allow anyone to attempt a login by
providing username/password. The fact that it seems to be allowing
password authentication has me wondering if there is a bug. Am I not
understanding what this flag does? When I try to connect from one of my
other systems via username/password to this ssh server, I don't get the
chance to enter a password, and my logfiles look different from what
happens during an attack.
Most clients start an authentication with a request for "none"
authentication, which generates a list of "authentications that can
continue". The client will then try whichever of those methods that it
can, based on its configuration.
The worm (or whatever it is) appears to not get that list and just try
password auth, which is why you see the attempts in the log.
I do understand that a computer on a public network can be the target of
brute force password attacks, but doesn't that become impossible when
public key authentication is the only way allowed?
So my question is, is there a bug, or do I have something wrong in my
config file? And do my logfiles really tell me that username/password
authentication is happening?
They're telling you that a client attempted password authentication and
that it failed (in this case, because the password authentication is
entirely disabled). There's nothing the server can do to stop the
client sending that, the only thing it can do is ignore it (which it
does, see below).
Here is a sample from my log file:
Oct 4 15:15:09 lh2 sshd[28337]: Could not reverse map address 202.33.56.20.
Oct 4 15:15:09 lh2 sshd[28337]: Failed password for root from 202.33.56.20
port 47240 ssh2
Oct 4 15:15:09 lh2 sshd[28337]: Received disconnect from 202.33.56.20: 11: Bye
Bye
In auth2.c, input_userauth_request() does a lookup of the authmethod
before actually attempting the authentication.
/* try to authenticate user */
m = authmethod_lookup(method);
if (m != NULL) {
debug2("input_userauth_request: try method %s", method);
authenticated =>m->userauth(authctxt);
}
and authmethod_lookup checks the "disabled" flag (this is what
"PasswordAuthentication no" sets) before returning the method. If you
have the password method disabled, the authentication will not be tested
by the server and the userauth request from the client will just fail.
You can confirm this by turning up the debug level on sshd. You'll get
a "Unrecognized authentication method name: password" from
authmethod_lookup and you won't see the "try method" messages for these
requests.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
