Date: Wed, 21 Jul 2004 14:12:45 +0200 (CEST) From: Konrad Heuer <kheuer2@gwdg.de> To: Tig <tigger@onemoremonkey.com> Cc: freebsd-security@freebsd.org Subject: Re: ssh and root on 4.10 = password discovery (maybe) Message-ID: <20040721140750.M64009@gwdu60.gwdg.de> In-Reply-To: <20040721193527.2647e696@piglet.goo> References: <20040721193527.2647e696@piglet.goo>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 21 Jul 2004, Tig wrote: > Hello. I'm not 100% sure if this is a configuration error on my side or > a 'bad idea' on sshd/FreeBSD sides. > > A remote root ssh connection to a FreeBSD 4.10 server (with no remote > root access) will allow you to 'work out' the root password. However, if > you try the same against 5.2.1 FreeBSD, you have little chance. The > following are pretty clear examples. > > If this is a config mistake on my side, please let me know as I have > clearly done something wrong. > > Correct root password - 4.10 > tigger@piglet:~% ssh root@4.10-FreeBSD > Password: > Connection to 4.10-FreeBSD closed by remote host. > Connection to 4.10-FreeBSD closed. > tigger@piglet:~% > > Incorrect root password - 4.10 > tigger@piglet:~% ssh root@4.10-FreeBSD > Password: > Password: > Password: > root@lilypie.com's password: > Permission denied, please try again. > root@lilypie.com's password: > Permission denied, please try again. > root@lilypie.com's password: > Permission denied (publickey,password,keyboard-interactive). > tigger@piglet:~% > > Correct root password - 5.2.1 > tigger@piglet:~% ssh root@5.2.1-FreeBSD > Password: > Password: > Password: > root@eeeor.goo's password: > Permission denied, please try again. > root@eeeor.goo's password: > Permission denied, please try again. > root@eeeor.goo's password: > Permission denied (publickey,password,keyboard-interactive). I roughly remember to have read about that problem for older versions of OpenSSH. But on my 4.10 boxes, there's no problem. Looks always like this, correct and incorrect password given: % ssh root@box root@boxes's password: Permission denied, please try again. root@boxes's password: Permission denied, please try again. Version: % ssh -V OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090704f Best regards Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ GWDG / __/______ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ Germany
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040721140750.M64009>