SSH permits root-Logins with wrong password

To: debian-user@lists.debian.org
Subject: SSH permits root-Logins with wrong password
From: Frank Niedermann <fbn@thelogic.org>
Date: Wed, 16 Jun 2004 17:43:32 +0200
Message-id: <[🔎] 20040616154332.GA3907@thelogic.org>

Hello,

I have a Debian testing server on my network with OpenSSH running. If I
try to log in as root but with wrong password I get the following:

deniedfr@dettnb80 deniedfr $ ssh root@dettlx18
Password: <wrong password here>
Password: <the same wrong password>
Password: <the same wrong password>
root@dettlx18's password: <the same wrong password>
Last login: Wed Jun 16 17:03:11 2004 from dettnb80.tt.de.ifm
dettlx18:~# uname -a
Linux dettlx18 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686
GNU/Linux
dettlx18:~# 

The /var/log/auth.log:
sshd[1335]: (pam_securetty) access denied: tty 'ssh' is not secure !
sshd[1335]: (pam_unix) authentication failure; logname= uid=0 euid=0
            tty=ssh ruser= rhost=dettnb80.tt.de.ifm  user=root
sshd[1333]: error: PAM: Authentication failure
sshd[1336]: (pam_securetty) access denied: tty 'ssh' is not secure !
sshd[1336]: (pam_unix) authentication failure; logname= uid=0 euid=0
            tty=ssh ruser= rhost=dettnb80.tt.de.ifm  user=root
sshd[1333]: error: PAM: Authentication failure
sshd[1337]: (pam_securetty) access denied: tty 'ssh' is not secure !
sshd[1337]: (pam_unix) authentication failure; logname= uid=0 euid=0
            tty=ssh ruser= rhost=dettnb80.tt.de.ifm  user=root
sshd[1333]: error: PAM: Authentication failure
sshd[1333]: Failed keyboard-interactive/pam for root from 172.16.15.80
            port 32896 ssh2
sshd[1333]: Accepted password for root from 172.16.15.80 port 32896 ssh2
sshd[1338]: (pam_unix) session opened for user root by root(uid=0) 

If I try to use 'x' as wrong password, ssh won't let me in:
root@dettlx18's password:
Permission denied (publickey,password,keyboard-interactive).

Just as I would expect it. If I use a longer or similar password as the
real root password, ssh will let me log in, example:
real root password = linux4me -> success :)
fake root password = fun4linux -> success! :(

The ssh package version:
ii ssh 3.8p1-3 Secure rlogin/rsh/rcp replacement (OpenSSH) 

Any idea about that behavor?

Regards,
  Frank
-- 
  Mail: fbn@thelogic.org
  XMPP: fbn@charente.de

Reply to:

Follow-Ups:
- Re: SSH permits root-Logins with wrong password
  - From: Patrick Lane <patrick.m.lane@csun.edu>
- Re: SSH permits root-Logins with wrong password
  - From: Hamilton Coutinho <hamiltonc@via-rs.net>

Prev by Date: LVM recovery tools
Next by Date: Re: ndiswrapper as a module
Previous by thread: LVM recovery tools
Next by thread: Re: SSH permits root-Logins with wrong password
Index(es):
- Date
- Thread