LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-15-2011, 03:53 PM   #1
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Rep: Reputation: 3
ssh authentication asks for a second password


I have set up faillog for a SLES 10 SP3 server. I log in through a putty session and i authenticate successfully and the "last failed login" information is displayed and directly beneath that at the prompt this is displayed:
"myusername" password:

If i attempt to type my password again it doesn't work and says, "Sorry, try again."

If i press enter without typing a password it lets me in and i am at the command prompt ready to go.

I have this same faillog set up on my test server and i do not get this second password prompt. The configs on both servers look identical. Permissions on both are the same. I must be missing something? I am very new at this and would really appreciate any help. Thanks.
 
Old 08-15-2011, 06:15 PM   #2
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
Are both “ChallengeResponseAuthentication yes” and “PasswordAuthentication yes” set this way in /etc/ssh/sshd_config on the server? I saw a similar behavior with the another ssh client for Windows. You can set the former to no (reload sshd) and test again.
 
Old 08-16-2011, 11:42 AM   #3
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Original Poster
Rep: Reputation: 3
Here is the sshd_config settings for your response:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
 
Old 08-16-2011, 01:36 PM   #4
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Original Poster
Rep: Reputation: 3
Thanks for the comments but i believe i got this one fixed. I looked in the messages after a login and noticed:

Aug 16 12:40:52 "servername" sudo: "userid" : 1 incorrect password attempt ; TTY=unknown ; PWD=/home/"username" ; USER=root ; COMMAND=/sbin/pam_tally --user "userid" --reset=0


Which lead me to the sudoers file where i added

%users ALL=(ALL) NOPASSWD: /sbin/pam_tally


After that i no longer receive the second login prompt.
 
Old 08-16-2011, 02:55 PM   #5
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
I’m not sure whether this is the most safest solution. Where is the sudo command coded? In any ~/.bash_rc or alike?
 
Old 08-16-2011, 03:51 PM   #6
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Original Poster
Rep: Reputation: 3
I have it in /etc/ssh/sshrc in order for it to display for the user logging in to see how many failures they have.


sshrc script:
echo "Last failed login: "; faillog -u `whoami` | grep `whoami`

#faillog -u $USER

sudo /sbin/pam_tally --user $USER --reset=0 > /dev/null
~
 
Old 08-16-2011, 04:00 PM   #7
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
This looks like everyone can manipulate the counter of any other user too. faillog is normally also limited to be used by root (at least on my system). There is no default output for failed logins by sshd?
 
Old 08-17-2011, 07:57 AM   #8
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Original Poster
Rep: Reputation: 3
Yes thats true about the counter, although you have to su to root in order to change the counter. I couldn't figure out another way to do it as this is new to me. In the sshd_config there is a line "PrintLastLog yes" but it doesn't do what i need.
 
Old 08-17-2011, 08:43 AM   #9
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Original Poster
Rep: Reputation: 3
Somewhat off topic, because of the sshrc file I cant run nautilus or anything from the terminal anymore.

(nautilus:16718): Gtk-WARNING **: cannot open display:
 
Old 08-17-2011, 10:36 AM   #10
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Original Poster
Rep: Reputation: 3
I believe i fixed this one also. I found a issue similar while searching the webs for the problem. I added this to the sshrc script:

# Set up the local file in which to store the .Xauthority information:
export XAUTHORITY=/tmp/.Xauthority.$USER

# Now create and write the magic cookie information:
if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY |
cut -c11-` $proto $cookie
else
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | /usr/X11R6/bin/xauth -q -
fi


Then I added this to /home/"USERID"/.bashrc :

# ~/.bashrc X11 configuration
if [[ -z $DISPLAY ]]; then
# DISPLAY is not set, so check to see what X display is owned
# by the current user and set DISPLAY to this value:
X11_FOLDER=/tmp/.X11-unix
currentUser=`id -u`
bb=`ls -ln $X11_FOLDER | grep $currentUser`
bbb=${bb/*X/:}
usedDISPLAY=$bbb.0
export DISPLAY=$usedDISPLAY
else
# DISPLAY is set, so we assume remote user login via
# ssh and set the XAUTHORITY variable to point to
# proper file.
export XAUTHORITY=/tmp/.Xauthority.$USER
fi

Now I am able to open Nautilus and any other X windows.
 
Old 08-17-2011, 10:43 AM   #11
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Original Poster
Rep: Reputation: 3
Quote:
Originally Posted by Reuti View Post
I’m not sure whether this is the most safest solution. Where is the sudo command coded? In any ~/.bash_rc or alike?

Can you suggest a safer solution?
 
Old 08-17-2011, 10:51 AM   #12
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
Do you need to reset it at all, as it will also increase the counter even when there was at least one successful login? What about the suggestion in the manpage to use a nightly cron job?
 
Old 08-17-2011, 03:29 PM   #13
swampf0x
Member
 
Registered: Feb 2011
Location: South Carolina
Distribution: SLES10 SP4
Posts: 30

Original Poster
Rep: Reputation: 3
Yes we need to reset the counter because after 3 unsuccessful attempts the user is locked out. I didn't see the cron job suggestion.
 
Old 08-17-2011, 03:33 PM   #14
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
From http://linux.die.net/man/8/pam_tally:
Quote:
For example, one might find it useful to clear all counts every midnight from a cron job.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos authentication for telnet asks for password ..Help sudipdutta1978 Linux - Software 3 06-09-2011 10:09 AM
Moved ..Kerberos authentication for telnet asks for password ..Help sudipdutta1978 Linux - Security 1 06-08-2011 06:17 PM
pam_mount Authentication and SSH Password-Less Login MailleMan Linux - Software 3 07-22-2009 04:06 PM
ssh with password authentication Nyarlathotep Linux - Security 4 10-06-2003 12:13 PM


All times are GMT -5. The time now is 10:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration