From owner-freebsd-security@FreeBSD.ORG Wed Jul 21 13:22:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78C8216A4CE for ; Wed, 21 Jul 2004 13:22:05 +0000 (GMT) Received: from lvlworld.com (dsl-38.226.240.220.dsl.comindico.com.au [220.240.226.38]) by mx1.FreeBSD.org (Postfix) with SMTP id F11E143D54 for ; Wed, 21 Jul 2004 13:22:03 +0000 (GMT) (envelope-from tigger@onemoremonkey.com) Received: (qmail 21700 invoked from network); 21 Jul 2004 13:23:45 -0000 Received: from unknown (HELO piglet.goo) (192.168.1.120) by eeeor.goo with SMTP; 21 Jul 2004 13:23:45 -0000 Date: Wed, 21 Jul 2004 23:22:32 +1000 From: Tig To: freebsd-security@freebsd.org Message-Id: <20040721232232.5d8b5bab@piglet.goo> In-Reply-To: <20040721140750.M64009@gwdu60.gwdg.de> References: <20040721193527.2647e696@piglet.goo> <20040721140750.M64009@gwdu60.gwdg.de> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bogosity: No, tests=bogofilter, spamicity=0.500001, version=0.17.5 Subject: Re: ssh and root on 4.10 = password discovery (maybe) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 13:22:05 -0000 On Wed, 21 Jul 2004 14:12:45 +0200 (CEST) Konrad Heuer wrote: > > I roughly remember to have read about that problem for older versions > of OpenSSH. > > But on my 4.10 boxes, there's no problem. Looks always like this, > correct and incorrect password given: > > % ssh root@box > root@boxes's password: > Permission denied, please try again. > root@boxes's password: > Permission denied, please try again. > > Version: > > % ssh -V > OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL > 0x0090704f > > Best regards > > Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ > GWDG / __/______ ___ / _ )/ __/ _ \ > Am Fassberg / _// __/ -_) -_) _ |\ \/ // / > 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ > Germany > Well, this is strange. The 5.2.1 box and the 4.10 box both have the same sshd_conf options, however the OpenSSH versions are different (but expected) 5.2.1 OpenSSH_3.6.1p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f 4.10 OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090704f Do you have any non-default settings to disable remote root access on your 4.10 box? This 4.10 box was recently upgraded from 4.9 (using cvsup), maybe I missed something is all I can think of. -Tig