# OpenSSH Authentication Failure messages

## spinfire

OpenSSH has a rather braindead behavior regarding PAM.  Whenever I log in using public key auth (which I almost always do) I get a log sequence like this:

Jun  4 06:59:11 threepwood sshd(pam_unix)[4492]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=65.160.204.xxx  user=dpn 

Jun  4 06:59:12 threepwood sshd[4492]: Accepted publickey for dpn from 65.160.204.xxx port 55889 ssh2

Jun  4 06:59:12 threepwood sshd(pam_unix)[4494]: session opened for user dpn by (uid=1000)

This is very annoying because it fills the log with fake "authentication failure!  Look at me!" messages and blocks any attempt to get useful authentication failure information out of the log.

Anyone know how to fix this?

----------

## cPF

BUMP!

I get this with password ssh logins too.. Reall need to get rid of annoying false alerts?

----------

## Chris W

I see no such messages in my auth logs.  SSH connections and disconnections only.  

Could you post your /etc/ssh/sshd.config file?

What client are you using?  Does it report anything unusual?  Does it have a logging/debugging system?

----------

## cPF

Error message is quite identical:

```
Jul  1 15:20:58 golem sshd(pam_unix)[13866]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=mordor.lan user=kherrala

Jul  1 15:21:00 golem sshd[13866]: Accepted password for kherrala from ::ffff:172.16.9.4 port 1868 ssh2

Jul  1 15:21:00 golem sshd(pam_unix)[13868]: session opened for user kherrala by (uid=1009)
```

```
#   $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

#Port 22

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 120

PermitRootLogin no

#StrictModes yes

#RSAAuthentication no

PubkeyAuthentication yes

AuthorizedKeysFile   .ssh/authorized_keys

# rhosts authentication should not be used

#RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication 

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt yes

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

PrintMotd yes

PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

Compression no

#MaxStartups 10

# no default banner path

#VerifyReverseMapping no

# override default of no subsystems

#Subsystem   sftp   /usr/lib/misc/sftp-server
```

I use putty and it says keyboard authentication failed(?) might be the key to solve this

EDIT: Confirmed it isn't related to putty, because i turned keyboard-interactive off and selected SSH2 as default... still the same error occurs

----------

## paranode

Maybe change:

 #RSAAuthentication no

to  RSAAuthentication yes

----------

## spinfire

 *Quote:*   

> 
> 
> Jul  1 09:48:47 threepwood sshd(pam_unix)[4927]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=x1000-XXX.tellink.net user=dpn
> 
> Jul  1 09:48:47 threepwood sshd[4927]: Accepted publickey for dpn from 65.160.204.XXX port 45921 ssh2
> ...

 

That is with RSAauthentication set to yes.  I might also point out that the default value for "RSAAuthentication" should be yes.

If you want my sshd_config, ask.. the only thing set in the config file is no keepalives.  Every other line is commented out, as per the default.

----------

## cPF

I went through the pain of running openssh in DEBUG logging mode with little help. I have everything commented out in sshd_config and putty is a new stable release. The error is also there while loggin in locally via ssh. See: 

Jul  1 18:10:40 golem sshd[24822]: debug1: Forked child 24829.

Jul  1 18:10:40 golem sshd[24829]: Connection from ::ffff:172.16.9.4 port 2142

Jul  1 18:10:40 golem sshd[24829]: debug1: Client protocol version 2.0; client software version PuTTY-Release-0.53b

Jul  1 18:10:40 golem sshd[24829]: debug1: no match: PuTTY-Release-0.53b

Jul  1 18:10:40 golem sshd[24829]: debug1: Enabling compatibility mode for protocol 2.0

Jul  1 18:10:40 golem sshd[24829]: debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

Jul  1 18:10:45 golem sshd[24829]: debug1: Starting up PAM with username "kherrala"

Jul  1 18:10:45 golem sshd[24829]: debug1: PAM setting rhost to "mordor.lan"

Jul  1 18:10:45 golem sshd(pam_unix)[24829]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=mordor.lan  user=kherrala

Jul  1 18:10:45 golem sshd[24829]: debug1: PAM password authentication failed for kherrala: Authentication failure

Jul  1 18:10:45 golem sshd[24829]: Failed none for kherrala from ::ffff:172.16.9.4 port 2142 ssh2

Jul  1 18:10:46 golem sshd[24829]: debug1: PAM password authentication accepted for kherrala

Jul  1 18:10:46 golem sshd[24829]: Accepted password for kherrala from ::ffff:172.16.9.4 port 2142 ssh2

Jul  1 18:10:46 golem sshd[24829]: debug1: monitor_child_preauth: kherrala has been authenticated by privileged process

Jul  1 18:10:46 golem sshd[24831]: debug1: PAM establishing creds

Jul  1 18:10:46 golem sshd[24831]: debug1: permanently_set_uid: 1009/4

Jul  1 18:10:46 golem sshd[24831]: debug1: Entering interactive session for SSH2.

----------

## paranode

Hmm.. try uncommenting #RhostsAuthentication no and see if that eliminates the error.  Maybe it's failing rhost authentication because it's only logging in with a public key.

----------

## cPF

doesn't help forcing rhostauth disabled =( I also tried re-emerging openssh too with no luck

----------

## paranode

I just followed this part of the Gentoo Security Guide and it works for me.  Sorry I couldn't help.

----------

## Woollyfoot

I'm having the same problem too, i've had to resort to changing the regexs in the metalog config file so it doesn't catch those failures but still puts password failures into the log file. A proper fix would be good tho!

----------

## cPF

I think this problem has persisted on my system for quite some time  :Surprised: 

Perhaps someone should consider filing a bug report, now that i'm not the only one affected? BTW. could there be something wrong in /etc/pam.d/sshd?

#%PAM-1.0

auth       required pam_stack.so service=system-auth

auth       required pam_shells.so

auth       required pam_nologin.so

account    required pam_stack.so service=system-auth

password   required pam_stack.so service=system-auth

session    required pam_stack.so service=system-auth

----------

## Chris W

The "tty=NODEVssh" part of the error message intruiges me.  Do you have the PuTTY option "Connection/SSH/Don't allocate a pseudo-terminal" set?  It isn't set in my config.

I don't use metalog (syslog-ng instead).  Is metalog a common factor with those recording these messages?

----------

## cPF

I use syslog-ng as well and don't have that option set.   :Sad:  No idea what NODevSSH is either =)

EDIT: It isn't related to client/-options, because it's just the same with logins from local, solaris, another debian-box. Maybe i could re-emerge pam modules next or something  :Razz: Last edited by cPF on Tue Jul 01, 2003 11:23 pm; edited 1 time in total

----------

## Chris W

How about the "Connection/SSH/Auth/Attempt "keyboard interactive" authentication SSH2" PuTTY option?  On in my setup.  I also force SSH2 only.

PAM setup is identical.

----------

## drzero

I have this problem as well and I believe it to be a PAM problem as I have seen other services that use PAM issue similar error messages, saying "authentication failure" even though the password was correct and the user got access. So far atleast both SSH, proftpd and http auth has issued these errors on all of the servers I have under my wings (8 or so).

It is somewhat strange, I have tried copying the content of /etc/pam.d/system-auth to /etc/pam.d/sshd but I still get the error. I just don't get the error when logging in locally, which should go through the same pam-stuff. I am confused!

Has anybody got any idea how to fix this?

----------

## Chris W

OK, let's work on the PAM angle.

What do you get logged with the debug option added to pam_unix in /etc/pam.d/system-auth thus:

```
#%PAM-1.0

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok nodelay debug

auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so debug

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok debug

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so debug 
```

You could try "audit" instead of, or in addition to, "debug".  The message does come from pam_unix (support.c), but I'd need to know what path it took to get there.

----------

## cPF

I modified system-auth and restarted sshd, but i don't get any extra debug messages in auth.log? Shouldn't /dev/pty be disabled in kernel due to i have /dev/ support?

----------

## Chris W

Are these the options you are referring to? 

```
# grep PTY /usr/src/linux/.config

CONFIG_UNIX98_PTYS=y

CONFIG_UNIX98_PTY_COUNT=256 
```

  They're set on my machine.  On the other hand, 

```
# CONFIG_DEVPTS_FS is not set 
```

----------

## cPF

/dev/pts was mostly what i was trying to say, is disabled.. I ran sshd in foreground  in debug mode, and

```
debug1: Starting up PAM with username "kherrala"

debug2: input_userauth_request: try method none

debug1: PAM setting rhost to "mordor.lan"

debug2: monitor_read: 41 used once, disabling now

debug2: monitor_read: 3 used once, disabling now

debug1: PAM password authentication failed for kherrala: Authentication failure
```

what's this method "none" ? checking for no-password login? I've disabled those

```
PermitEmptyPasswords no
```

And what failure is this?

```
debug1: PAM setting tty to "/dev/pts/5"

debug1: PAM establishing creds

debug1: PAM setcred failed[15]: Authentication service cannot retrieve user credentials

```

----------

## cPF

whoah, It appears to be a known bug in the current openssh release.

http://marc.theaimsgroup.com/?t=105187763300007&r=1&w=2

Maybe we should emerge this simple patch pointed out there in gentoo? Such an annoying bug anyway.

----------

## cPF

Mission complete. Advancement in bugs.gentoo.org seems to have halted, so I decided to apply the discussed patch below and got rid of those errors finally  :Smile: 

https://bugs.gentoo.org/show_bug.cgi?id=20404

save this to a temporary location, maybe in /tmp/opensshpam.diff

http://www.mindrot.org/pipermail/openssh-unix-dev/2003-May/017981.html

modified this bit in the ebuild and re-emerged openssh:

```

use selinux && epatch ${DISTDIR}/openssh_3.6p1-5.se1.diff.bz2

epatch /tmp/opensshpam.diff || die
```

I haven't yet observer any side effects, so could someone make these changes in portage?

----------

## LRdM

I think that this patch still hasn't been added to the portage ebuild, as I still had it as of 3.6.1_p2. The manually applied patch seems to of corrected the bug, but any chance of it being added to the ebuild?

----------

