Hello,
This is my first post, and i'm still newbie, so please notice me if I act wrong.
While trying to connect to a Debian server using ssh, I made a typo and found out that when I don't fill the passphrase field, the (passphrase) step is bypassed, and I'm asked for my account password, which let me log in.
I'm not sure if this is a normal and intended behaviour, but right now I don't understand why it works like this and couldn't find an answer on the internet.
I will be happy to share with you the config files (if you tell me which one ).
May any of you, please, put me in the picture ?
- Ya Shu Hee
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
ssh - bypassed passphrase when not filling it
Re: ssh - bypassed passphrase when not filling it
I made a "process graph" to explain more efficiently : the blue arrow is my "problem".
- Attachments
-
- process.png (16.33 KiB) Viewed 1906 times
Re: ssh - bypassed passphrase when not filling it
By uncommenting "PasswordAuthentication no" (in /etc/ssh/sshd_config file), I now get directly a Permission denied (publickey)" message instead of a password "field".
I still don't understand if it is a normal and intended behaviour to exit the pass phrase loop when pressing enter (with empty pass phrase "field").
I still don't understand if it is a normal and intended behaviour to exit the pass phrase loop when pressing enter (with empty pass phrase "field").
- Attachments
-
- with_PasswordAuthentication_no.JPG (24.81 KiB) Viewed 1905 times
Re: ssh - bypassed passphrase when not filling it
When the SSH client tries to authenticate using a public key, it asks you for the passphrase (if one has been set).
If that fails, it tries with the next method, i.e. password authentication.
If the server allows both (as it was in your case), then it's the expected behaviour.
Normally if you set-up public key authentication, you disable password authentication (like you've done in your 3rd post), so that the only way to get in is with public key auth. If that fails (e.g. because you enter a wrong passphrase), then the client has no more (valid) ways of authenticating.
Hope that clarifies this.
If that fails, it tries with the next method, i.e. password authentication.
If the server allows both (as it was in your case), then it's the expected behaviour.
Normally if you set-up public key authentication, you disable password authentication (like you've done in your 3rd post), so that the only way to get in is with public key auth. If that fails (e.g. because you enter a wrong passphrase), then the client has no more (valid) ways of authenticating.
Hope that clarifies this.
Re: ssh - bypassed passphrase when not filling it
Thank you for your answer !
I now understand better how ssh connection is supposed to work.
However, I'm still wondering if it's normal that authentication is considered as failed after less than 3 attempts, as soon as you press enter with an empty passphrase.
I now understand better how ssh connection is supposed to work.
However, I'm still wondering if it's normal that authentication is considered as failed after less than 3 attempts, as soon as you press enter with an empty passphrase.
Re: ssh - bypassed passphrase when not filling it
When you type a wrong passphrase, the ssh client is not able to decrypt the key it should send to the server, so there's no actual authentication attempt (i.e. the server doesn't notice this).
Whether only one single attempt is allowed or more depends on the program actually asking you for the passphrase, which can either be the ssh client itself or the program specified in the SSH_ASKPASS environment variable. As far as I know this is not configurable, at least when ssh itself asks for the passphrase..