SSH authentication bypass?

Tom Buskey tom at buskey.name
Wed Jun 25 14:46:12 EDT 2014 

On Wed, Jun 25, 2014 at 12:08 PM, Joshua Judson Rosen <rozzin at geekspace.com>
wrote:

> *AHA*--found the answer:
>
>     http://article.gmane.org/gmane.network.openssh.general/7446
>
> OpenSSH implements "none" auth by trying to authenticate
> with an empty password. I'm still not sure where in
> the code this is actually happening, but it does seem
> to work: if I just null-out my user's password, and then
> enable PermitEmptyPasswords in sshd_config, then I can
> use "ssh -o PreferredAuthentications=none" and it just works.
>
> Actually, I don't even have to pass "-o PreferredAuthentications=none"--
> it looks like "none" auth is tried automatically, and it really
> all "just works" once I have a `passwordless' login allowed
> (for some somewhat surprising meaning of "just works"...).
>
>
I've created passwordless SSH keys.  That turns it into having a shared
secret with is better then a blank password IMO.  I think the keys would
work even if the account is locked in /etc/shadow and possibly other auth
methods.




> --
> "'tis an ill wind that blows no minds."
>
>
> Joshua Judson Rosen <rozzin at geekspace.com> writes:
> >
> > Having sshd manage auth using PKI is not what I'm looking for;
> > supposedly there is a "none" auth-type that SSH can use,
> > which means that SSH is just giving you an encrypted stream
> > and the shell running at the end of the link is responsible
> > for actually prompting for login credentials and authenticating
> > (similarly to using SSL telnet, since telnetd doesn't actually
> >  manage logins, it just execs a "login" command and hooks
> >  its stdio up to the socket that goes back to the client).
> >
> > Glancing at the code in OpenSSH 6.0 (client and server), it looks like
> > the OpenSSH client can be made to request "none" auth; and there are at
> > least some *vestiges* of support for "none" auth in the server--
> > like all of the code in auth2-none.c, and this comment in auth2.c:
> >
> >         /* Allow initial try of "none" auth without failure penalty */
> >
> > (I also see that there's another `hidden auth mode' called "J-PAKE",
> > which looks interesting but is also probably not what I want).
> >
> > From what little documentation I see on sshd's
> ChallengeResponseAuthentication
> > option, it seems like that might let me do this... but only if I
> > implement the authenticating end as a PAM module rather than something
> > like a "login command"...
> >
> > Help!?
> >
> > Do I `just' need to patch sshd to actually accept "none" auth?
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20140625/2ae70f84/attachment.html

More information about the gnhlug-discuss mailing list