#1
  1. o0o.o0o
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    m00n
    Posts
    194
    Rep Power
    102

    OpenSSH question


    Does OpenSSH have some default mechanism that will lock a user out after too many failed logins?

    If so, how is a lock-out rememdied, and how would one adjust settings so this would not happen (or happen as often).

    Thanks,
    Brett
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> will lock a user out

    That depends on what your definition of lock is. Perhaps you want to block inbound port 22 at packet filter level? Then you need to run sshd under tcpserver.
    Keep in mind, sshd alone can't deny connection attempt. That's why it's usually built with TCP wrappers support. You can dynamically append his IP to /etc/hosts.allow but you need to write a script to do that.
    Or you can write a script to parse ssh log file and append that IP to tcpserver's sshd file then rebuild sshd.cdb database.
    Either way, there shouldn't be any permission problem because sshd need to run as root.
  4. #3
  5. o0o.o0o
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    m00n
    Posts
    194
    Rep Power
    102

    clearification


    I appreciate the reply, but I am not sure I expressed my problem correctly.

    Lastnight I logged into my collocated FreeBSD box using ssh like alway. I got in successfully, modified a single .html file, then logged out. I then tried to re-login again a little later, messed up the pw initially, then on each successive logon since, I have been unable to get back in. It gives me the message:

    Permission denied, please try again.
    I even tried logging in from another machine, and I get the same thing. In the past, of course, I have messed up the login from time to time, but I have never been denied like this.

    I have made sure of all the usual - caps lock on/off, etc, but to no avail.

    The machine is still running, and is serving up webpages like a champ. MySQL is working fine, and as far as I can tell so are the other services.

    Any thoughts?

    Thanks,
    Brett
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    That "Permission denied" could be caused with many possibilities, just to name a few: hosts.allow, pam.conf or even broken key. What you should do is to add -v flag like so:

    ssh -v 12.34.56.78

    that should give you more clues of the problem.
  8. #5
  9. o0o.o0o
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    m00n
    Posts
    194
    Rep Power
    102
    Ok, I tried it, and I get no more insight. As much as I do not want to I am going to get it rebooted. If that doesn't work, I guess I will have to get into it where it is physically located.

    Thanks for the help though.

    Brett
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> I tried it, and I get no more insight

    Why don't you show us the unedited output of that?
  12. #7
  13. o0o.o0o
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    m00n
    Posts
    194
    Rep Power
    102

    output ...


    Code:
    ssh -v estrabd@www.brettsbsd.net
    debug: SshAppCommon/sshappcommon.c:154/ssh_app_get_global_regex_context: Allocating global SshRegex context.
    debug: SshConfig/sshconfig.c:2184/ssh2_parse_config: Unable to open /home/glacier/estrade/.ssh2/ssh2_config
    debug: Connecting to www.brettsbsd.net, port 22...
    debug: Ssh2/ssh2.c:1956/main: Entering event loop.
    debug: Ssh2Client/sshclient.c:1330/ssh_client_wrap: Creating transport protocol.
    debug: SshAuthMethodClient/sshauthmethodc.c:136/ssh_client_authentication_initialize: Added "publickey" to usable methods.
    debug: SshAuthMethodClient/sshauthmethodc.c:136/ssh_client_authentication_initialize: Added "password" to usable methods.
    debug: Ssh2Client/sshclient.c:1362/ssh_client_wrap: Creating userauth protocol.
    debug: client supports 2 auth methods: 'publickey,password'
    debug: Ssh2Common/sshcommon.c:495/ssh_common_wrap: local ip = ::ffff:80a0:2ad, local port = 64797
    debug: Ssh2Common/sshcommon.c:497/ssh_common_wrap: remote ip = 208.232.10.16, remote port = 22
    debug: SshConnection/sshconn.c:1889/ssh_conn_wrap: Wrapping...
    debug: Remote version: SSH-1.99-OpenSSH_2.3.0 FreeBSD localisations 20010713
    debug: Major: 2 Minor: 3 Revision: 0
    debug: Ssh2Transport/trcommon.c:1285/ssh_tr_input_version: Remote version has kex packet guess determination bug.
    debug: Ssh2Transport/trcommon.c:1289/ssh_tr_input_version: Remote version has hostbased looping on failure bug.
    debug: Ssh2Transport/trcommon.c:1293/ssh_tr_input_version: Remote version can only handle one key in "hostbased" auth.
    debug: Ssh2Transport/trcommon.c:1373/ssh_tr_input_version: Remote version has rekey incompatibility bug.
    debug: Ssh2Transport/trcommon.c:1375/ssh_tr_input_version: Remote version is OpenSSH, KEX guesses disabled.
    debug: Ssh2Transport/trcommon.c:1716/ssh_tr_negotiate: lang s to c: `', lang c to s: `'
    debug: Ssh2Transport/trcommon.c:1781/ssh_tr_negotiate: c_to_s: cipher aes128-cbc, mac hmac-sha1, compression none
    debug: Ssh2Transport/trcommon.c:1784/ssh_tr_negotiate: s_to_c: cipher aes128-cbc, mac hmac-sha1, compression none
    debug: Remote host key found from database.
    debug: Ssh2Common/sshcommon.c:290/ssh_common_special: Received SSH_CROSS_STARTUP packet from connection protocol.
    debug: Ssh2Common/sshcommon.c:340/ssh_common_special: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
    debug: server offers auth methods 'publickey,password'.
    debug: SshConfig/sshconfig.c:2184/ssh2_parse_config: Unable to open /home/glacier/estrade/.ssh2/identification
    debug: Ssh2AuthClient/sshauthc.c:315/ssh_authc_completion_proc: Method 'publickey' disabled.
    debug: server offers auth methods 'publickey,password'.
    debug: Ssh2AuthPasswdClient/authc-passwd.c:95/ssh_client_auth_passwd: Starting password query...
    estrabd's password: 
    debug: server offers auth methods 'publickey,password'.
    debug: Ssh2AuthPasswdClient/authc-passwd.c:95/ssh_client_auth_passwd: Starting password query...
    estrabd's password: 
    debug: server offers auth methods 'publickey,password'.
    debug: Ssh2AuthPasswdClient/authc-passwd.c:95/ssh_client_auth_passwd: Starting password query...
    estrabd's password: 
    debug: server offers auth methods 'publickey,password'.
    debug: Ssh2AuthClient/sshauthc.c:315/ssh_authc_completion_proc: Method 'password' disabled.
    debug: server offers auth methods 'publickey,password'.
    debug: Ssh2Common/sshcommon.c:137/ssh_common_disconnect: DISCONNECT received: No further authentication methods available.
    warning: Authentication failed.
    debug: Ssh2/ssh2.c:116/client_disconnect: locally_generated = TRUE
    Disconnected; no more authentication methods available (No further authentication methods available.).
    debug: Ssh2Client/sshclient.c:1395/ssh_client_destroy: Destroying client.
    debug: SshConnection/sshconn.c:1937/ssh_conn_destroy: Destroying SshConn object.
    debug: Ssh2Client/sshclient.c:1448/ssh_client_destroy_finalize: Destroying client completed.
    debug: SshAuthMethodClient/sshauthmethodc.c:162/ssh_client_authentication_uninitialize: Destroying authentication method array.
    I appreciate the continued help...brett
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    How come your $HOME has a path of /home/glacier/estrade?
    If you have been using publickey auth method in the past it appears that the permission in your $HOME has been modified or changed, and sshd fall back to try password auth but it also fail. You must have done something incorrectly recently causing that kind of permission problem, if it's really a permission issue.
    Sorry I have never faced such problem before, really can't provide much help on fixing it.
  16. #9
  17. o0o.o0o
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    m00n
    Posts
    194
    Rep Power
    102

    more output


    This is from my home machine (FreeBSD); glacier is my machine at work (solaris).

    Code:
    Script started on Wed Mar 13 17:43:54 2002
    bash-2.05$ ssh -v www.brettsbsd.net
    
    SSH Version OpenSSH_2.3.0 FreeBSD localisations 20010713, protocol versions 1.5/2.0.
    
    Compiled with SSL (0x0090601f).
    
    debug: Reading configuration data /etc/ssh/ssh_config
    
    
    debug: ssh_connect: getuid 1000 geteuid 1000 anon 1
    
    
    debug: Connecting to www.brettsbsd.net [208.232.10.16] port 22.
    
    
    debug: Connection established.
    
    
    debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 FreeBSD localisations 20010713
    
    
    debug: match: OpenSSH_2.3.0 FreeBSD localisations 20010713 pat ^OpenSSH[-_]2\.3
    
    
    
    
    debug: Local version string SSH-1.5-OpenSSH_2.3.0 FreeBSD localisations 20010713
    
    
    debug: Waiting for server public key.
    
    
    debug: Received server public key (768 bits) and host key (1024 bits).
    
    
    debug: Host 'www.brettsbsd.net' is known and matches the RSA host key.
    
    
    debug: Encryption type: 3des
    
    
    debug: Sent encrypted session key.
    
    
    debug: Installing crc compensation attack detector.
    
    
    debug: Received encrypted confirmation.
    
    
    debug: Doing password authentication.
    
    
    estrabd@www.brettsbsd.net's password: 
    
    Permission denied, please try again.
    
    
    estrabd@www.brettsbsd.net's password: 
    
    Permission denied, please try again.
    
    
    estrabd@www.brettsbsd.net's password: 
    
    Permission denied.
    
    
    debug: Calling cleanup 0x8058204(0x0)
    
    
    bash-2.05$ exit
    
    
    Script done on Wed Mar 13 17:44:22 2002
    Thanks,
    Brett
    Last edited by estrabd; March 13th, 2002 at 08:23 PM.
  18. #10
  19. o0o.o0o
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    m00n
    Posts
    194
    Rep Power
    102

    more insite from sshd_congfig


    Could this be the cause:

    Code:
    # After 10 unauthenticated connections, refuse 30% of the new ones, and
    # refuse any more than 60 total.
    MaxStartups 10:30:60
    I have had it up long enough for it to be a real possibility that I messed up the login over 60 times. Is this line saying that after 60 bad logins, it refuses the connection?

    Brett
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> MaxStartups 10:30:60

    That's not the original cause of the login failure problem. The main problem is why should it failed in the first place. Prior to that problem which auth type did you use? Interactive or non-interactive? Like I said, it could be a corrupted key to sshd fell back to use password authentication but you have never configured sshd to use password authentication (/etc/pam.conf problem).
  22. #12
  23. o0o.o0o
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    m00n
    Posts
    194
    Rep Power
    102

    I am an idiot


    Figured out the problem after I arranged getting physical access to my machine.

    I changed the login shells for root and my uid to be bash. Well, bash wasn't installed in the directory specified.

    I appreciate the help.

    Brett

IMN logo majestic logo threadwatch logo seochat tools logo