SSH Authentication issue.

When I am trying to connect to a sever using ssh, I happen to see the following statements in the server side logs:

none for user User rejected because it is unavailable
password for user User accepted

I am able to connect to the server, but I am getting that "rejected" message in logs.

What I want to do is to eliminate that message. So when I did some digging around I came to know that the "none" authentication method is used to determine the types of authentication methods available and only in rare cases is the "none" authentication method supported by the server.

So is there any way I can tell the ssh not to use the "none" authentication method?

I already tried specifying the preferred authentication method using:

-o PreferredAuthentications=password

but still I am getting that error message.

So is there any way I can tell ssh not to use the none authentication method/

Thanks.

what is the output after your ssh tries ?

# ssh -o PreferredAuthentications=none serverIP

is the connection ok although logged to "rejected .. " message

In that case it just displays the possibe authentication method and exits. But it i give the method as "password" first it is taking "none" and then taking "password". The connection is ok

When connecting to a server with ssh if there is a public key/private key authentication token between server, the ssh will try to use that key. If for some reason the key does not work, then ssh will try asking for a password. Key based authentication won't work if the .ssh directory is world or group writable, readable or executable or the home directory is world writable. You may want to check the permissions on your home and .ssh directories.

Look at your sshd_config file. Is PermitEmptyPasswords set to yes? If so, try turning it off.

Ok i understand the issue.This happened from ssh server and i guess the is mandatory.Maybe you are using the Vshell and
if there is an parameter called the name is like "NoneAuthentication" method and i m not sure , if this can be eliminated bt this but just u can try.

# ssh -o PreferredAuthentications=password -o NoneAuthentication=no serverIp

or you can use the ssh-1 but i think your server is not permitted this and this cannot be preferred.
and you can the look the more infos at the below links.

Inside SSH-2 (SSH, The Secure Shell: The Definitive Guide)

The SSH-2 protocol is more flexible: the server informs the client which authentication methods are usable at any point in the exchange, 
as opposed to just once at the beginning of the connection, as in SSH-1. 

Thus, an SSH-2 server can, for example, decide to disallow public-key authentication after two unsuccessful attempts 
but still continue allowing the password method only. 
One use of this feature is interesting to note. 

SSH-2 clients usually first make an authentication request using a special method, "none." 
It always fails and returns the real authentication methods permitted by the server. 
If you see puzzling references in the SSH logs indicating that the method "none" has "failed," now you know what's going on (and it's normal).

and like same your issue, you can get the some infos.
https://forums.vandyke.com/showthread.php?t=11413

regards
ygemici

Thanks for the reply, but from that other issue that you posted, I got to know that this is a default behavior. But it does not says how to avoid using "none" authentication method.

I tried with the NoneAuthentication option and it says it is not supported.

command-line: line 0: Bad configuration option: NoneAuthentication
Connection closed

What is your operating system.and what is your ssh version ?
To your ssh version then add the some options like below if it is has its in specs.

AllowedAuthentications hostbased,publickey,password

My client is HP-UX and the remote server is windows 2008 server and in that I am running the vShell.

What I am doing now is to open a sftp session form the HP-UX to vShell.

I need to make changes in HPUX only.

I tried setting this option, but to no effect:

# allow the use of the none cipher
NoneEnabled no

chacko193,

1 - (open)-ssh client asks the server for auth-methods as in the normal ssh-client-work as userauth-request
(because almost ssh clients wants to know which auth methods that the server supports) )
and cannot change this behaviour with add parameters as far as i m know for the open-ssh client
and therefore you must change the server config

if there is possibility of use the different ssh clients and then may you can this.
for exa i tested bitvise ssh client with selected "initial method" option to any (password,pubkey,gssapi,keyboard-interactive..)
and this is SuCcess so "ssh-connection method none [preauth]" is not logging any mode (debug[1-3],verbose or any others)
lastly this ssh client allow the authenticaton methods which we want to choose any methods...

And you will not see the message that is "rejected ....." in your server logs.
this is just a choise.I dont know its applicability.

******************************************************

2 - i wanted to test the vshell server but i cant download it.

below is the answer to me from vandyke and they give late response.


Hello Yucel,

Thank you for your interest in VShell(R).

We apologize for the inconvenience, unfortunately, U.S.
export regulations do not allow automated downloads to some
countries.

However, by providing some additional information, you can
still download and evaluate VShell.

.............

Sincerely,


Leslie Tyk
Orders Department
VanDyke Software, Inc.
505-332-5710
505-332-5701 (fax)
sales@vandyke.com
www.vandyke.com

3 - u can check the loglevel on the server-side.*(sshd_config -> vshelld_config)

a-) what is output ?

# findstr /I Log "vshelld_config"

a-1) lets try - We have to change this

LogTopicAuthentication xxxx

to

LogTopicAuthentication false

b-) what is output ?

# findstr /I Authentications "vshelld_config"

b-1) lets try - We have to change this

AuthenticationsAllowed xxxx

to

AuthenticationsAllowed publickey, password

and
*

AuthenticationsRequired xxxx

to

AuthenticationsRequired publickey, password

******************************************************

4 - and ask*(open the case) the vandyke.com.
or check the syslog.conf for eliminate the this messages.

******************************************************

5 - and is not related the ssl-ciphers.

regards
ygemici

1 Like

Thanks Ygemici for you reply!!

I have already tried out not logging the "auth" events in vShell and that seems to work.

I got to thinking that since the client is initiating the ssh session, it will be the client that sends the "none" auth method request and from my other searches was able to confirm this as well. So I came to the conclusion that there will be some option within the ssh config files which prevents sending out the "none" auth request and hence my futile searches.

I will try out the rest of your suggestions and get back to when I have some results.

---------- Post updated at 11:30 PM ---------- Previous update was at 11:26 AM ----------

I tried changing the AuthenticationsAllowed and AuthenticationsRequired to "password" only in vShell, but still it is using the "none" authentication first and then only it is going for password.

---------- Post updated 05-27-14 at 04:42 AM ---------- Previous update was 05-26-14 at 11:30 PM ----------

I have one query. You said you were able to connect to server with any initial auth method using bitvise client. I also tried that and noticed the same,i.e , I am not getting that "none rejected" message.

So how is this bitvise client able to choose the initial auth method? If they are able to do it, why cannot we do the same. After all they too will be using the same open-ssh only(may be with some modifications). And I think it is the only one were none is listed as an auth method.

---------- Post updated at 07:42 AM ---------- Previous update was at 04:42 AM ----------

It is set to no. Initially it was commented out. Tried with that parameter set to "no" and still the it is taking "none" as initial authentication method.

it has differ codes in the bitvise ssh client ( executable) and it does not send to ssh-server with none-method as in its source code files for know the auth-methods.(written in that way)
and it does not use the openssh sources, it uses FlowSsh libraries and compiled from c++ platform for windows.

Well I always knew that was not going to work. But worth a try.

Thanks for clearing it up

Then u can go this way so ;

-> download the source code openssh 6.x.x tar.gz
(for exa openssh-6.4p1)

-> change the line is like below from the "sshconnect2.c"

int
userauth_none(Authctxt *authctxt)
{
        /* initial userauth request */
/* debug(" --> i am in userauth_none fonksiyonundayim" ); */
        packet_start(SSH2_MSG_USERAUTH_REQUEST);
        packet_put_cstring(authctxt->server_user);
        packet_put_cstring(authctxt->service);
  packet_put_cstring(authctxt->method->name);  -> packet_put_cstring("");
        packet_put_cstring("");
        packet_send();
        return 1;
}

-> compile it..

# cd openssh-6.4p1 && chmod +x ./configure ./mkinstalldirs && ./configure --with-md5-passwords --with-pam --with-ssl-dir=/YOUR_OPENSSL_PATH/ 
--with-zlib=/YOUR_ZLIB_DIRECTORY/ -with-libs --prefix=/usr/local/sshwithoutnone/ && make && make install

-> and the run

# /usr/local/sshwithoutnone/bin/ssh -l sshuser remotehost

Note : "--with-pam" options requires the pam-devel package.

regards
ygemici

I dont think I will be able to edit the openssh source code. We are using ssh that comes bundled with the HP-UX.

Now I can stop trying to avoid using "none" and try to suppress the logs

But thanks anyway. :slight_smile:

Finally, ur request solvable by two way.

  • From ssh server, over "vshelld_config" (but this gets to avoid all auth message with none)
    modification to
LogTopicAuthentication xxxx -> LogTopicAuthentication false
  • From ssh client, via build the openssh source code or different ssh client solutions (like bitwise)

Good work :slight_smile:

regards
ygemici

1 Like

Thanks a lot ygemici for your support :slight_smile: