[ale] possible ssh compromise?

Ronald Chmara ron at Opus1.COM
Mon Nov 24 15:41:45 EST 2003


On Nov 24, 2003, at 10:59 AM, John Wells wrote:
> Ok....someone sanity check me here...
> I'm sshing into my home box and mistype my password a few times (fat
> fingered morning).
>
> Here's what it looks like:
>
> $ ssh myuser at myhome.net
> Password:
> Password:
> Password:
> myuser at myhome.net's password:
> myuser at myhome.net's password:
> myuser at myhome.net's password:
> Received disconnect from 66.22.42.XX 2: Too many authentication 
> failures
> for myuser
> So, if I mistype the password 6 times, I get the following scenario 
> above.
> If I ssh to a box on the local lan here at work, I instantly get
> myuser at mylocalhost's password:
> 3 times, then failure.
> no "Password:" only prompts.
> Still, it seems to me that I've used ssh a lot in the past and only 
> gotten
> simply "Password:".
> I'm wondering if this is some configuration thing I've set incorrectly 
> or
> something else.  My home machine is a Red Hat 7.3 system.

Wild conjecture (just stuff to look into as ideas, may not be well 
thought out.):
1. Remote sshd PAM stack might be trying to auth multiple ways (seems 
unlikely)?
2. Local password required to unlock some ssh keys (for that server, or 
your local user), then a remote password to access the server (as 
failover)? (Do you have a passphrase on these keys?)

There are a *lot* of ways to set up ssh, with different key setups, 
protocols, etc.

Basic ssh debug (sorry if this is obvious):
ssh -vv myuser at myhome.net

...To see at what steps it's asking for those levels of auth. Of 
course, you could also compare sshd configs and PAM configs (etc.) in 
both sites.

HTH,
-Bop



More information about the Ale mailing list