This is an unusual request but I'm looking for a way to get SSH to take ANY password on some accounts and accept it to log in. No matter what the user types it is accepted.

Why you might ask? Because I'm going to have it run a shell script that will lock out their IP address. I get people trying to hack into my server all the time usually trying accounts that are never used for SSH. The idea is to block the IP of anyone who even tries to use these accounts on the first try. Also thinking about setting up a honeypot server to collect these IPs and send them to a block list on the main routers.

So - can I do this?

This would allow anyone to login to your computer, this is an extremely bad idea and is suicidal if you are connected to the internet.

See this: http://denyhosts.sourceforge.net/ and forget about what you were saying above about letting anyone login to your computer

You should read what I write before you reply. I'm not going to let them actually log in. The shell isn't a real shell. It runs a program that cuts them off immediately and blocks their IP address. That way they get cut off immediately instead of getting 10 minutes worth of guessing.

Its still an extremely bad idea to try to open up ssh to any kind of anonymous or blank-password logins. Its also totally unecessary in order to do what you're trying to do (you only need to look in the log files to pick out hack-attempts) and its not possible to configure sshd to allow logins for users who don't exist on the system anyway AFAIK.

My question was - how do I do this - not if I should do this. I'm looking for an answer to my question - not a lecture about your opinion of security. So - does anyone know how to do what I'm asking about?

Now you're the one not reading before you reply. I've already told you that you only need to look in the log files to get the information you need to make this work. I've also told you that what you're trying to do isn't possible with ssh - it only allows logins to specific accounts, there is no such thing as a catch-all login.

It seems like an excessive way to block sources, but you can get the info you need from your logfiles. It would be easier to completely block SSH then open the service for known sources.

By the time I check the log files several attemts are already made. I want to kill them instantly on the first attempt.

I still don't agree with the methodology, but you could use a log monitor like swatch. You're better off with explicit allows so that you don't have to worry about connection attempts from unwanted locations. Do you have a issue that would prevent you from doing explicit allows?

Maybe instead of allowing them to type in anything you could try one of these 2 ideas.

1. Set up some obvious accounts like test, admin, or guest and use a password like "password" or "admin" or something to catch bad guys. I don't know how well that could work with your script though.

2. Maybe make a rule similar to "if you type the password wrong 3 times, you get locked out" only this would be "if you type your login OR password wrong once, you get SCRIPTED"

Since I don't know how ssh handles bad password attempts, depending on the OS sometimes you get 3 tries and others you get unlimited tries. Sorry couldn't help more.

Avatar - that's a good suggestion. I think I'll do that until I come up with a better solution.

Question: Would you design a physical security system (ie door lock) that opened with any key and then tried to prevent the person from entering after they unlocked it?

If something could be done similar to my #2, then it wouldn't be like that at all.

It would be more like, if you use the right key in the door, you get in. If you try to insert the wrong key, even just once, the lock disappears.

I think that what mperkel wants to do is not necessarily let people in, it's just that's the only way he can catch them in his script. I think what he wants to do is deny access to people who are trying to get in who shouldn't be, without letting them keep on trying and trying, like it does right now.

If I'm right, then what you want is not to let them in and THEN block their IP address. You want to block the IP if they fail X number of times (even once).

Here is a thread that I think has what you are looking for. Read the post # 35 (about 4th from the bottom).
http://www.linuxquestions.org/questi...5&pagenumber=3

This guy has a link to a script that does what you want, but BEFORE the user logs in, not after. It's called authfail.

Hope this helps.

Like most of the responses in this thread try to say, and if you look at how available tools approach the problem you'll see they're not about introducing new risks.
- No unauthorised remote users should be able to connect to or interact with code on the server.
- Adding users to the system (with easily guessable passwords) is weakening the system by any standard.
- Besides that the available tools work so why try to introduce a vulnerability...

Use one of the tools around or reconsider using the sane approach of using auth/sys logs if you must write something yourself.