From owner-freebsd-security@FreeBSD.ORG Wed Jul 21 13:33:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 895F516A4CE for ; Wed, 21 Jul 2004 13:33:37 +0000 (GMT) Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.8.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0C6E43D46 for ; Wed, 21 Jul 2004 13:33:36 +0000 (GMT) (envelope-from kheuer2@gwdg.de) Received: from gwdu60.gwdg.de (localhost [127.0.0.1]) by gwdu60.gwdg.de (8.12.11/8.12.8) with ESMTP id i6LDXZuc068645; Wed, 21 Jul 2004 15:33:35 +0200 (CEST) (envelope-from kheuer2@gwdg.de) Received: from localhost (kheuer2@localhost)i6LDXZwa068642; Wed, 21 Jul 2004 15:33:35 +0200 (CEST) X-Authentication-Warning: gwdu60.gwdg.de: kheuer2 owned process doing -bs Date: Wed, 21 Jul 2004 15:33:34 +0200 (CEST) From: Konrad Heuer To: Tig In-Reply-To: <20040721232232.5d8b5bab@piglet.goo> Message-ID: <20040721152912.O64009@gwdu60.gwdg.de> References: <20040721193527.2647e696@piglet.goo> <20040721140750.M64009@gwdu60.gwdg.de> <20040721232232.5d8b5bab@piglet.goo> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ssh and root on 4.10 = password discovery (maybe) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 13:33:37 -0000 On Wed, 21 Jul 2004, Tig wrote: > On Wed, 21 Jul 2004 14:12:45 +0200 (CEST) > Konrad Heuer wrote: > > > > > I roughly remember to have read about that problem for older versions > > of OpenSSH. > > > > But on my 4.10 boxes, there's no problem. Looks always like this, > > correct and incorrect password given: > > > > % ssh root@box > > root@boxes's password: > > Permission denied, please try again. > > root@boxes's password: > > Permission denied, please try again. > > > > Version: > > > > % ssh -V > > OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL > > 0x0090704f > > Well, this is strange. The 5.2.1 box and the 4.10 box both have the same > sshd_conf options, however the OpenSSH versions are different (but > expected) > > 5.2.1 > OpenSSH_3.6.1p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL > 0x0090703f > > 4.10 > OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL > 0x0090704f > > Do you have any non-default settings to disable remote root access on > your 4.10 box? This 4.10 box was recently upgraded from 4.9 (using > cvsup), maybe I missed something is all I can think of. Here are the lines of my sshd_config which are uncommented: PermitRootLogin forced-commands-only IgnoreRhosts no RhostsRSAAuthentication yes HostbasedAuthentication yes ChallengeResponseAuthentication no X11Forwarding yes UsePrivilegeSeparation yes Compression yes Subsystem sftp /usr/libexec/sftp-server Best regards Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ GWDG / __/______ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ Germany