LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   ssh authentication asks for a second password (http://www.linuxquestions.org/questions/linux-security-4/ssh-authentication-asks-for-a-second-password-897476/)

swampf0x 08-15-2011 03:53 PM

ssh authentication asks for a second password
 
I have set up faillog for a SLES 10 SP3 server. I log in through a putty session and i authenticate successfully and the "last failed login" information is displayed and directly beneath that at the prompt this is displayed:
"myusername" password:

If i attempt to type my password again it doesn't work and says, "Sorry, try again."

If i press enter without typing a password it lets me in and i am at the command prompt ready to go.

I have this same faillog set up on my test server and i do not get this second password prompt. The configs on both servers look identical. Permissions on both are the same. I must be missing something? I am very new at this and would really appreciate any help. Thanks.

Reuti 08-15-2011 06:15 PM

Are both “ChallengeResponseAuthentication yes” and “PasswordAuthentication yes” set this way in /etc/ssh/sshd_config on the server? I saw a similar behavior with the another ssh client for Windows. You can set the former to no (reload sshd) and test again.

swampf0x 08-16-2011 11:42 AM

Here is the sshd_config settings for your response:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

swampf0x 08-16-2011 01:36 PM

Thanks for the comments but i believe i got this one fixed. I looked in the messages after a login and noticed:

Aug 16 12:40:52 "servername" sudo: "userid" : 1 incorrect password attempt ; TTY=unknown ; PWD=/home/"username" ; USER=root ; COMMAND=/sbin/pam_tally --user "userid" --reset=0


Which lead me to the sudoers file where i added

%users ALL=(ALL) NOPASSWD: /sbin/pam_tally


After that i no longer receive the second login prompt.

Reuti 08-16-2011 02:55 PM

I’m not sure whether this is the most safest solution. Where is the sudo command coded? In any ~/.bash_rc or alike?

swampf0x 08-16-2011 03:51 PM

I have it in /etc/ssh/sshrc in order for it to display for the user logging in to see how many failures they have.


sshrc script:
echo "Last failed login: "; faillog -u `whoami` | grep `whoami`

#faillog -u $USER

sudo /sbin/pam_tally --user $USER --reset=0 > /dev/null
~

Reuti 08-16-2011 04:00 PM

This looks like everyone can manipulate the counter of any other user too. faillog is normally also limited to be used by root (at least on my system). There is no default output for failed logins by sshd?

swampf0x 08-17-2011 07:57 AM

Yes thats true about the counter, although you have to su to root in order to change the counter. I couldn't figure out another way to do it as this is new to me. In the sshd_config there is a line "PrintLastLog yes" but it doesn't do what i need.

swampf0x 08-17-2011 08:43 AM

Somewhat off topic, because of the sshrc file I cant run nautilus or anything from the terminal anymore.

(nautilus:16718): Gtk-WARNING **: cannot open display:

swampf0x 08-17-2011 10:36 AM

I believe i fixed this one also. I found a issue similar while searching the webs for the problem. I added this to the sshrc script:

# Set up the local file in which to store the .Xauthority information:
export XAUTHORITY=/tmp/.Xauthority.$USER

# Now create and write the magic cookie information:
if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY |
cut -c11-` $proto $cookie
else
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | /usr/X11R6/bin/xauth -q -
fi


Then I added this to /home/"USERID"/.bashrc :

# ~/.bashrc X11 configuration
if [[ -z $DISPLAY ]]; then
# DISPLAY is not set, so check to see what X display is owned
# by the current user and set DISPLAY to this value:
X11_FOLDER=/tmp/.X11-unix
currentUser=`id -u`
bb=`ls -ln $X11_FOLDER | grep $currentUser`
bbb=${bb/*X/:}
usedDISPLAY=$bbb.0
export DISPLAY=$usedDISPLAY
else
# DISPLAY is set, so we assume remote user login via
# ssh and set the XAUTHORITY variable to point to
# proper file.
export XAUTHORITY=/tmp/.Xauthority.$USER
fi

Now I am able to open Nautilus and any other X windows.

swampf0x 08-17-2011 10:43 AM

Quote:

Originally Posted by Reuti (Post 4444916)
I’m not sure whether this is the most safest solution. Where is the sudo command coded? In any ~/.bash_rc or alike?


Can you suggest a safer solution?

Reuti 08-17-2011 10:51 AM

Do you need to reset it at all, as it will also increase the counter even when there was at least one successful login? What about the suggestion in the manpage to use a nightly cron job?

swampf0x 08-17-2011 03:29 PM

Yes we need to reset the counter because after 3 unsuccessful attempts the user is locked out. I didn't see the cron job suggestion.

Reuti 08-17-2011 03:33 PM

From http://linux.die.net/man/8/pam_tally:
Quote:

For example, one might find it useful to clear all counts every midnight from a cron job.


All times are GMT -5. The time now is 12:28 PM.