Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

ssh - bypassed passphrase when not filling it

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
YaShuHee
Posts: 4
Joined: 2021-09-08 17:45
Has thanked: 2 times

ssh - bypassed passphrase when not filling it

#1 Post by YaShuHee »

Hello,

This is my first post, and i'm still newbie, so please notice me if I act wrong.

While trying to connect to a Debian server using ssh, I made a typo and found out that when I don't fill the passphrase field, the (passphrase) step is bypassed, and I'm asked for my account password, which let me log in.
I'm not sure if this is a normal and intended behaviour, but right now I don't understand why it works like this and couldn't find an answer on the internet.

I will be happy to share with you the config files (if you tell me which one :? ).
May any of you, please, put me in the picture ?

- Ya Shu Hee
Attachments
ssh_no_passphrase_asked.JPG
ssh_no_passphrase_asked.JPG (64.09 KiB) Viewed 1901 times
Last edited by YaShuHee on 2021-09-08 18:50, edited 1 time in total.

YaShuHee
Posts: 4
Joined: 2021-09-08 17:45
Has thanked: 2 times

Re: ssh - bypassed passphrase when not filling it

#2 Post by YaShuHee »

I made a "process graph" to explain more efficiently : the blue arrow is my "problem".
Attachments
process.png
process.png (16.33 KiB) Viewed 1903 times

YaShuHee
Posts: 4
Joined: 2021-09-08 17:45
Has thanked: 2 times

Re: ssh - bypassed passphrase when not filling it

#3 Post by YaShuHee »

By uncommenting "PasswordAuthentication no" (in /etc/ssh/sshd_config file), I now get directly a Permission denied (publickey)" message instead of a password "field".
I still don't understand if it is a normal and intended behaviour to exit the pass phrase loop when pressing enter (with empty pass phrase "field").
Attachments
with_PasswordAuthentication_no.JPG
with_PasswordAuthentication_no.JPG (24.81 KiB) Viewed 1902 times

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: ssh - bypassed passphrase when not filling it

#4 Post by reinob »

When the SSH client tries to authenticate using a public key, it asks you for the passphrase (if one has been set).
If that fails, it tries with the next method, i.e. password authentication.

If the server allows both (as it was in your case), then it's the expected behaviour.
Normally if you set-up public key authentication, you disable password authentication (like you've done in your 3rd post), so that the only way to get in is with public key auth. If that fails (e.g. because you enter a wrong passphrase), then the client has no more (valid) ways of authenticating.

Hope that clarifies this.

YaShuHee
Posts: 4
Joined: 2021-09-08 17:45
Has thanked: 2 times

Re: ssh - bypassed passphrase when not filling it

#5 Post by YaShuHee »

Thank you for your answer !
I now understand better how ssh connection is supposed to work.

However, I'm still wondering if it's normal that authentication is considered as failed after less than 3 attempts, as soon as you press enter with an empty passphrase.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: ssh - bypassed passphrase when not filling it

#6 Post by reinob »

YaShuHee wrote: 2021-09-09 19:01 Thank you for your answer !
I now understand better how ssh connection is supposed to work.

However, I'm still wondering if it's normal that authentication is considered as failed after less than 3 attempts, as soon as you press enter with an empty passphrase.
When you type a wrong passphrase, the ssh client is not able to decrypt the key it should send to the server, so there's no actual authentication attempt (i.e. the server doesn't notice this).

Whether only one single attempt is allowed or more depends on the program actually asking you for the passphrase, which can either be the ssh client itself or the program specified in the SSH_ASKPASS environment variable. As far as I know this is not configurable, at least when ssh itself asks for the passphrase..

Post Reply