Xshell Forum

Auth fallback

Last post: Monday, August 5, 2013 10:39 PM by Bean, 4 reply

 
Saturday, August 3, 2013 3:35 AM - Bean

Auth fallback

 
Hi there,

i have recently notified that there is no fallback in authentication methods eg. when Xagent Authentication is enabled in the sessionm but there is no valid ssh key added to the Xagent the SSH User Authentication window appeared and you could choose a fallback authentication method (Password or Keyboard Intercative). Now in the same situation you will get an error message "The server sent a disconnect packet. Too many authentication failures for xxxxx (code: 2)".

Here is the trace log:

Connection established.
To escape to local shell, press 'Ctrl+Alt+G'.
[12:17:15] Version exchange initiated...
[12:17:15] server: SSH-2.0-OpenSSH_5.6
[12:17:15] client: SSH-2.0-nsssh2_4.0.0030 NetSarang Computer, Inc.
[12:17:15] SSH2 is selected.
[12:17:15] Algorithm negotiation initiated...
[12:17:15] key exchange: diffie-hellman-group14-sha1
[12:17:15] host key: ssh-dss
[12:17:15] outgoing encryption: 3des-cbc
[12:17:15] incoming encryption: 3des-cbc
[12:17:15] outgoing mac: hmac-sha1
[12:17:15] incoming mac: hmac-sha1
[12:17:15] outgoing compression: none
[12:17:15] incoming compression: none
[12:17:16] Host authentication initiated...
[12:17:16] Hostkey fingerprint:
[12:17:16] ssh-dsa 1024 0f:35:d7:6e:22:77:8d:24:f3:8b:4d:4b:b1:c0:97:cb
[12:17:16] Accepted. Verifying host key...
[12:17:16] Verified.
[12:17:16] User authentication initiated...
[12:17:16] Sent user name 'root'.
[12:17:16] Server support public key authentication method.
[12:17:16] Trying to find ssh-agent...
[12:17:16] Xagent is running. Connecting to ssh-agent...
[12:17:16] Received 7 identity-blob(s) from ssh-agent.
[12:17:16] Trying next identity blob...
[12:17:16] Server rejected the public blob.
[12:17:16] Trying next identity blob...
[12:17:16] Server rejected the public blob.
[12:17:16] Trying next identity blob...
[12:17:16] Server rejected the public blob.
[12:17:16] Trying next identity blob...
[12:17:16] Server rejected the public blob.
[12:17:16] Trying next identity blob...
[12:17:16] Server rejected the public blob.
[12:17:16] Trying next identity blob...

Connection closed by foreign host.


In putty this feature is working perfectly. If I remember correctly this function was working in the earlier releases of XShell as well.

Thanks in advance,
Bean


Program Ver. : Xshell 4
Sunday, August 4, 2013 8:06 PM - Support

Re: Auth fallback

 
Xshell fails to connect and gives up because the server sends failure signal. This is same for Putty and Xshell. SSH server cannot indefinitely allow accepting wrong authentication information. This can create overhead to the server and also security holes.

Can you make sure it works on Putty and tell us the steps how you did it?


----
Technical Support
Monday, August 5, 2013 6:40 AM - Bean

Re: Auth fallback

 
Hi there,

here is a session with same parameters initiated in putty:

2013-08-05 15:36:14 Looking up host "10.57.22.10"
2013-08-05 15:36:14 Connecting to 10.57.22.10 port 22
2013-08-05 15:36:14 Server version: SSH-2.0-OpenSSH_5.6
2013-08-05 15:36:14 Using SSH protocol version 2
2013-08-05 15:36:14 We claim version: SSH-2.0-PuTTY_Release_0.62
2013-08-05 15:36:14 Doing Diffie-Hellman group exchange
2013-08-05 15:36:14 Doing Diffie-Hellman key exchange with hash SHA-256
2013-08-05 15:36:14 Host key fingerprint is:
2013-08-05 15:36:14 ssh-rsa 2048 2e:05:06:0d:cb:53:3e:85:90:95:41:ab:f1:3e:a7:f9
2013-08-05 15:36:14 Initialised AES-256 SDCTR client->server encryption
2013-08-05 15:36:14 Initialised HMAC-SHA1 client->server MAC algorithm
2013-08-05 15:36:14 Initialised AES-256 SDCTR server->client encryption
2013-08-05 15:36:14 Initialised HMAC-SHA1 server->client MAC algorithm
2013-08-05 15:36:14 Pageant is running. Requesting keys.
2013-08-05 15:36:14 Pageant has 1 SSH-2 keys
2013-08-05 15:36:16 Writing new session log (raw mode) to file: putty.log
2013-08-05 15:36:26 Trying Pageant key #0
2013-08-05 15:36:26 Server refused our key
2013-08-05 15:36:26 Attempting keyboard-interactive authentication


As you can see putty is aware of the private key loaded in pageant, tries to authenticate with it, but after server refusing the key it is switching to the keyboard-interactive authentication thus you can log in with user/pass then.

Thanks,
Bean
Monday, August 5, 2013 6:38 PM - Support

Re: Auth fallback

 
Log shows there is only one private key in Putty agent. The same error will occur if there are multiple keys are sent by Putty agent. Also, if you have only one private key in Xshell Xagent, it will fall back to other authentication mode.

Please try reducing the number of unused private keys in Xshell.

---
Technical Support
Monday, August 5, 2013 10:39 PM - Bean

Re: Auth fallback

 
Ok, you're right, i have tested it with 7 keys with putty, and a i got the same error message like with xshell.
Thanks for your help!