SSH authentication bypass?

Joshua Judson Rosen rozzin at geekspace.com
Wed Jun 25 12:08:05 EDT 2014 

*AHA*--found the answer:

    http://article.gmane.org/gmane.network.openssh.general/7446

OpenSSH implements "none" auth by trying to authenticate
with an empty password. I'm still not sure where in
the code this is actually happening, but it does seem
to work: if I just null-out my user's password, and then
enable PermitEmptyPasswords in sshd_config, then I can
use "ssh -o PreferredAuthentications=none" and it just works.

Actually, I don't even have to pass "-o PreferredAuthentications=none"--
it looks like "none" auth is tried automatically, and it really
all "just works" once I have a `passwordless' login allowed
(for some somewhat surprising meaning of "just works"...).

-- 
"'tis an ill wind that blows no minds."


Joshua Judson Rosen <rozzin at geekspace.com> writes:
>
> Having sshd manage auth using PKI is not what I'm looking for;
> supposedly there is a "none" auth-type that SSH can use,
> which means that SSH is just giving you an encrypted stream
> and the shell running at the end of the link is responsible
> for actually prompting for login credentials and authenticating
> (similarly to using SSL telnet, since telnetd doesn't actually
>  manage logins, it just execs a "login" command and hooks
>  its stdio up to the socket that goes back to the client).
>
> Glancing at the code in OpenSSH 6.0 (client and server), it looks like
> the OpenSSH client can be made to request "none" auth; and there are at
> least some *vestiges* of support for "none" auth in the server--
> like all of the code in auth2-none.c, and this comment in auth2.c:
>
>         /* Allow initial try of "none" auth without failure penalty */
>
> (I also see that there's another `hidden auth mode' called "J-PAKE",
> which looks interesting but is also probably not what I want).
>
> From what little documentation I see on sshd's ChallengeResponseAuthentication
> option, it seems like that might let me do this... but only if I
> implement the authenticating end as a PAM module rather than something
> like a "login command"...
>
> Help!?
>
> Do I `just' need to patch sshd to actually accept "none" auth?

More information about the gnhlug-discuss mailing list