After entering a userid I get this in the everything log: May 3 00:11:27 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost user=dma (accompanied by a 5 second delay) This occurs for anything entered for the username. This happened when openssh was upgraded. I'm also getting noticeable hiccups and delays in output streams which seem to be eliminated by pressing a key during the delay. Reproducible: Always Steps to Reproduce: 1. ssh to dmatech.org (my machine) 2. enter garbage for username (it delays whether or not it is valid) 3. notice the delay that wasn't in openssh-3.5p1. Actual Results: See above. Expected Results: Performance like that of openssh-3.5p1. Portage 2.0.47-r10 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) ================================================================= System uname: 2.4.20-gentoo-r1 i686 AMD Athlon(TM) XP 2200+ GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://distro.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config /usr/kde/3/share /config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config /usr/share/config" CONFIG_PROTECT_MASK="/etc/afs/C /etc/afs/afsws /etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="/usr/local/portage" USE="x86 oss 3dnow apm avi crypt cups encode gif jpeg libg++ mikmod mmx mpeg ncurses nls pdflib png spell truetype xml2 xmms xv zlib gdbm berkdb slang readline arts svga java guile X sdl gpm tcpd pam libwww ssl python esd imlib oggvorbis gnome gtk qt kde motif opengl acl acpi afs alsa bonobo cjk curl dga dvb dvd flash freetype glut gtk2 gtkhtml innodb ipv6 jikes kerberos ldap mbox mozilla mozinterfaceinfo mozsvg mozxmlterm mysql perl postgres -quicktime rage128 ruby samba snmp sse tcltk tetex tiff usb wmf xfs xml" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-fomit-frame-pointer -mcpu=athlon-xp -march=athlon-xp -O3 -pipe - fprefetch-loop-arrays -msse -m3dnow -falign-functions=4 -mfpmath=sse" CXXFLAGS="-fomit-frame-pointer -mcpu=athlon-xp -march=athlon-xp -O3 -pipe - fprefetch-loop-arrays -msse -m3dnow -falign-functions=4 -mfpmath=sse" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" FEATURES="sandbox ccache"
pam packages are up2date ?
Everything seems to be up to date. I remerged pam and pam-login and it still happens.
Hi, I've mailed openssh-dev about this. The delay can be prevented by putting the nodelay option in /etc/pam.d/system-auth, here's an example one: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok nodelay auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so However the log problems can be solved only with a patch, you'll find the patch and the discussion at: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=105191476831578&w=2 I don't think that they will merge the patch in the tree (see the rest of the thread), maybe should be added to portage. It would also be useful to see how other distro are managing this.
*** Bug 20591 has been marked as a duplicate of this bug. ***
This seems to work fine with 3.6.1 p2. Theres no log entry and no delay (from the loginfail) diff -ruN openssh-3.6.1p2.orig/auth1.c openssh-3.6.1p2/auth1.c --- openssh-3.6.1p2.orig/auth1.c 2003-05-08 03:06:59.000000000 +0200 +++ openssh-3.6.1p2/auth1.c 2003-05-08 03:08:26.000000000 +0200 @@ -80,7 +80,7 @@ authctxt->valid ? "" : "illegal user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ - if (options.password_authentication && + if (options.password_authentication && options.permit_empty_passwd && #if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif diff -ruN openssh-3.6.1p2.orig/auth2-none.c openssh-3.6.1p2/auth2-none.c --- openssh-3.6.1p2.orig/auth2-none.c 2003-05-08 03:06:59.000000000 +0200 +++ openssh-3.6.1p2/auth2-none.c 2003-05-08 03:09:59.000000000 +0200 @@ -100,6 +100,8 @@ if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif + if (!options.permit_empty_passwd) + return(0); return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; }
Given that the security problems only affect disclosure of valid users, I will continue to use the old (3.5) version until they ALSO fix the jitter/buffering or whatever that is causing lousy performance (over a LAN!). Halfway through typing "ls" with only a few entries, it pauses for about 200ms and then resumes. This pause will be stopped if I send any character (even control-S). I disabled compression (I believe) so that probably isn't it. It seems to be specific to the new version, but it only happens on certain clients. Is there any command by any chance that will let me see the parameters of my sshd instance (cipher, compression, etc.)?
I can confirm that this problem is reproducible on a *fresh* (from scratch) install of 1.4rc4 on a dual Xeon box. After the install I noticed both the delay and the extra error messages in the logs. I can also CONFIRM that applying the patch posted in this thread eliminated the delay and the error messages for the same box. Hopefully we can roll this patch into a new build.
Thanks, I'll take care of that a little later today.
The jitters seem to be related to the fact that I was using SSH protocol version 1 instead of 2 (for some reason). Interestingly enough, openssh 3.5_p1-r1 (using ssh2) seems to pause for about 1 second before asking me for a username. (this doesn't happen with ssh1). Hopefully this was resolved.
Here's a link to a follow up of the discussion on openssh-dev, there's a detailed discussion and a complete patch submitted to openssh bugzilla. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=105271388204273&w=2
I've tried this patch with no success. It's quite odd really. BTW: The patch has been updated.
Created attachment 14956 [details, diff] This fixes errors in syslog The fix to this bug=) Please submit with ebuild
I've talked to some openssh devolpers and found a patch that seems to work, I've also bugged avenj to put this in the ebuild, here is the patch I made: AvenJ you can close one more bug=) If you guys want an explanation, what happens, it is that the "PermitEmptyPasswords no" which is set to default off anyways doesn't work, EVEN if it is set in /etc/ssh/sshd_config. This patch will fix that so it doesn't try to login with a null password first, which is why that message pops up in the syslog. Cheers=)
seems as if we are not alone with this problem: <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=101252>
this has been fixed in openssh >= 3.7p1. all users are encouraged to update to 3.7.1p1 (not 3.7p1) to fix this problem, as well as other security issues.