SSH authentication bypass?

Joshua Judson Rosen rozzin at geekspace.com
Wed Jun 25 11:23:31 EDT 2014 

Having sshd manage auth using PKI is not what I'm looking for;
supposedly there is a "none" auth-type that SSH can use,
which means that SSH is just giving you an encrypted stream
and the shell running at the end of the link is responsible
for actually prompting for login credentials and authenticating
(similarly to using SSL telnet, since telnetd doesn't actually
 manage logins, it just execs a "login" command and hooks
 its stdio up to the socket that goes back to the client).

Glancing at the code in OpenSSH 6.0 (client and server), it looks like
the OpenSSH client can be made to request "none" auth; and there are at
least some *vestiges* of support for "none" auth in the server--
like all of the code in auth2-none.c, and this comment in auth2.c:

        /* Allow initial try of "none" auth without failure penalty */

(I also see that there's another `hidden auth mode' called "J-PAKE",
which looks interesting but is also probably not what I want).

>From what little documentation I see on sshd's ChallengeResponseAuthentication
option, it seems like that might let me do this... but only if I
implement the authenticating end as a PAM module rather than something
like a "login command"...

Help!?

Do I `just' need to patch sshd to actually accept "none" auth?

-- 
"'tis an ill wind that blows no minds."

John Feole <jfeole at gmail.com> writes:
>
> I'm a little rusty, but i usedmto admin Solaris machines using keys with
> winders client using something like this doc:
>
> http://www.tonido.com/blog/index.php/2009/02/20/
> ssh-without-password-using-putty/#.U6oG7JHD8b0
>
> Regards,
> jfeole
>
> On Jun 24, 2014 5:21 PM, "Joshua Judson Rosen" <rozzin at geekspace.com> wrote:
>
>     Poking around in PuTTY..., there's an SSH auth setting labeled:
>    
>            Bypass authentication entirely (SSH-2 only)
>    
>     I have an application where that'd be great;
>     how the heck do I configure sshd to let that work?
>    
>     --
>     "'tis an ill wind that blows no minds."
>     _______________________________________________
>     gnhlug-discuss mailing list
>     gnhlug-discuss at mail.gnhlug.org
>     http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

More information about the gnhlug-discuss mailing list