SSH permits root-Logins with wrong password
Hello,
I have a Debian testing server on my network with OpenSSH running. If I
try to log in as root but with wrong password I get the following:
deniedfr@dettnb80 deniedfr $ ssh root@dettlx18
Password: <wrong password here>
Password: <the same wrong password>
Password: <the same wrong password>
root@dettlx18's password: <the same wrong password>
Last login: Wed Jun 16 17:03:11 2004 from dettnb80.tt.de.ifm
dettlx18:~# uname -a
Linux dettlx18 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686
GNU/Linux
dettlx18:~#
The /var/log/auth.log:
sshd[1335]: (pam_securetty) access denied: tty 'ssh' is not secure !
sshd[1335]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root
sshd[1333]: error: PAM: Authentication failure
sshd[1336]: (pam_securetty) access denied: tty 'ssh' is not secure !
sshd[1336]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root
sshd[1333]: error: PAM: Authentication failure
sshd[1337]: (pam_securetty) access denied: tty 'ssh' is not secure !
sshd[1337]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=dettnb80.tt.de.ifm user=root
sshd[1333]: error: PAM: Authentication failure
sshd[1333]: Failed keyboard-interactive/pam for root from 172.16.15.80
port 32896 ssh2
sshd[1333]: Accepted password for root from 172.16.15.80 port 32896 ssh2
sshd[1338]: (pam_unix) session opened for user root by root(uid=0)
If I try to use 'x' as wrong password, ssh won't let me in:
root@dettlx18's password:
Permission denied (publickey,password,keyboard-interactive).
Just as I would expect it. If I use a longer or similar password as the
real root password, ssh will let me log in, example:
real root password = linux4me -> success :)
fake root password = fun4linux -> success! :(
The ssh package version:
ii ssh 3.8p1-3 Secure rlogin/rsh/rcp replacement (OpenSSH)
Any idea about that behavor?
Regards,
Frank
--
Mail: fbn@thelogic.org
XMPP: fbn@charente.de
Reply to: