Bug#1035754: openssh-server: PermitEmptyPasswords=yes causes login to take 2-4s by enabling PAM password check

Mon, 08 May 2023 11:03:21 -0700 

Package: openssh-server
Version: 1:8.4p1-5+deb11u1
Severity: normal
X-Debbugs-Cc: z...@za3k.com

Dear Maintainer,

* What led up to the situation?
    Enable the following options in sshd_config:

    PermitEmptyPasswords yes
    PasswordAuthentication no # Also the default. Confirming order doesn't 
matter.

    Log in using an ssh key. 

* What was the outcome of this action?
    This takes 2000-4000ms on my server. I suspect the slowness is from PAM 
checking passwords somehow.

    The relevant log lines from the server:
        
        May 08 13:53:48 germinate sshd[2561718]: debug1: Forked child 3847417.
        May 08 13:53:48 germinate sshd[3847417]: debug1: Set 
/proc/self/oom_score_adj to 0
        May 08 13:53:48 germinate sshd[3847417]: debug1: rexec start in 5 out 5 
newsock 5 pipe 7 sock 8
        May 08 13:53:48 germinate sshd[3847417]: debug1: inetd sockets after 
dupping: 4, 4
        May 08 13:53:48 germinate sshd[3847417]: Connection from 192.168.1.100 
port 54350 on 192.168.1.17 port 22 rdomain ""
        May 08 13:53:48 germinate sshd[3847417]: debug1: Local version string 
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1
        May 08 13:53:48 germinate sshd[3847417]: debug1: Remote protocol 
version 2.0, remote software version OpenSSH_9.3
        May 08 13:53:48 germinate sshd[3847417]: debug1: match: OpenSSH_9.3 pat 
OpenSSH* compat 0x04000000
        May 08 13:53:48 germinate sshd[3847417]: debug1: permanently_set_uid: 
106/65534 [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: list_hostkey_types: 
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: SSH2_MSG_KEXINIT sent 
[preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: SSH2_MSG_KEXINIT 
received [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: kex: algorithm: 
curve25519-sha256 [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: kex: host key 
algorithm: ecdsa-sha2-nistp256 [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: kex: client->server 
cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none 
[preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: kex: server->client 
cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none 
[preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: expecting 
SSH2_MSG_KEX_ECDH_INIT [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: rekey out after 
134217728 blocks [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: SSH2_MSG_NEWKEYS sent 
[preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: Sending 
SSH2_MSG_EXT_INFO [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: expecting 
SSH2_MSG_NEWKEYS [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: SSH2_MSG_NEWKEYS 
received [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: rekey in after 
134217728 blocks [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: KEX done [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: userauth-request for 
user zachary service ssh-connection method none [preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: attempt 0 failures 0 
[preauth]
        May 08 13:53:48 germinate sshd[3847417]: debug1: user zachary matched 
'User zachary' at line 133
        May 08 13:53:48 germinate sshd[3847417]: debug1: PAM: initializing for 
"zachary"
        May 08 13:53:48 germinate sshd[3847417]: debug1: PAM: setting PAM_RHOST 
to "192.168.1.100"
        May 08 13:53:48 germinate sshd[3847417]: debug1: PAM: setting PAM_TTY 
to "ssh"
        May 08 13:53:48 germinate sshd[3847417]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=192.168.1.100  user=zachary
        May 08 13:53:50 germinate sshd[3847417]: debug1: PAM: password 
authentication failed for zachary: Authentication failure
        May 08 13:53:50 germinate sshd[3847417]: Failed none for zachary from 
192.168.1.100 port 54350 ssh2
        May 08 13:53:51 germinate sshd[3847417]: debug1: userauth-request for 
user zachary service ssh-connection method publickey [preauth]
        May 08 13:53:51 germinate sshd[3847417]: debug1: attempt 1 failures 0 
[preauth]
        May 08 13:53:51 germinate sshd[3847417]: debug1: userauth_pubkey: test 
pkalg rsa-sha2-512 pkblob RSA 
SHA256:Zt8jjAh4Z8iQ1+219IV7eNmSnQ154QbBoJ947jVEDDk [preauth]
        May 08 13:53:51 germinate sshd[3847417]: debug1: temporarily_use_uid: 
1000/1000 (e=0/0)
        May 08 13:53:51 germinate sshd[3847417]: debug1: trying public key file 
/home/zachary/.ssh/authorized_keys
        May 08 13:53:51 germinate sshd[3847417]: debug1: fd 5 clearing 
O_NONBLOCK
        May 08 13:53:51 germinate sshd[3847417]: debug1: 
/home/zachary/.ssh/authorized_keys:1: matching key found: RSA 
SHA256:Zt8jjAh4Z8iQ1+219IV7eNmSnQ154QbBoJ947jVEDDk
        May 08 13:53:51 germinate sshd[3847417]: debug1: 
/home/zachary/.ssh/authorized_keys:1: key options: agent-forwarding 
port-forwarding pty user-rc x11-forwarding
        May 08 13:53:51 germinate sshd[3847417]: Accepted key RSA 
SHA256:Zt8jjAh4Z8iQ1+219IV7eNmSnQ154QbBoJ947jVEDDk found at 
/home/zachary/.ssh/authorized_keys:1
        May 08 13:53:51 germinate sshd[3847417]: debug1: restore_uid: 0/0
        May 08 13:53:51 germinate sshd[3847417]: Postponed publickey for 
zachary from 192.168.1.100 port 54350 ssh2 [preauth]
        May 08 13:53:51 germinate sshd[3847417]: debug1: userauth-request for 
user zachary service ssh-connection method publickey [preauth]
        May 08 13:53:51 germinate sshd[3847417]: debug1: attempt 2 failures 0 
[preauth]
        May 08 13:53:51 germinate sshd[3847417]: debug1: temporarily_use_uid: 
1000/1000 (e=0/0)
        May 08 13:53:51 germinate sshd[3847417]: debug1: trying public key file 
/home/zachary/.ssh/authorized_keys
        May 08 13:53:51 germinate sshd[3847417]: debug1: fd 5 clearing 
O_NONBLOCK
        May 08 13:53:51 germinate sshd[3847417]: debug1: 
/home/zachary/.ssh/authorized_keys:1: matching key found: RSA 
SHA256:Zt8jjAh4Z8iQ1+219IV7eNmSnQ154QbBoJ947jVEDDk
        May 08 13:53:51 germinate sshd[3847417]: debug1: 
/home/zachary/.ssh/authorized_keys:1: key options: agent-forwarding 
port-forwarding pty user-rc x11-forwarding
        May 08 13:53:51 germinate sshd[3847417]: Accepted key RSA 
SHA256:Zt8jjAh4Z8iQ1+219IV7eNmSnQ154QbBoJ947jVEDDk found at 
/home/zachary/.ssh/authorized_keys:1
        May 08 13:53:51 germinate sshd[3847417]: debug1: restore_uid: 0/0
        May 08 13:53:51 germinate sshd[3847417]: debug1: auth_activate_options: 
setting new authentication options
        May 08 13:53:51 germinate sshd[3847417]: debug1: do_pam_account: called
        May 08 13:53:51 germinate sshd[3847417]: Accepted publickey for zachary 
from 192.168.1.100 port 54350 ssh2: RSA 
SHA256:Zt8jjAh4Z8iQ1+219IV7eNmSnQ154QbBoJ947jVEDDk
        May 08 13:53:51 germinate sshd[3847417]: debug1: monitor_child_preauth: 
zachary has been authenticated by privileged process
        May 08 13:53:51 germinate sshd[3847417]: debug1: auth_activate_options: 
setting new authentication options [preauth]
        May 08 13:53:51 germinate sshd[3847417]: debug1: monitor_read_log: 
child log fd closed
        May 08 13:53:51 germinate sshd[3847417]: debug1: PAM: establishing 
credentials
        May 08 13:53:51 germinate sshd[3847417]: debug1: PAM: pam_setcred(): 
Failure setting user credentials
        May 08 13:53:51 germinate sshd[3847417]: pam_unix(sshd:session): 
session opened for user zachary(uid=1000) by (uid=0)
        May 08 13:53:51 germinate sshd[3847417]: User child is on pid 3868868

* What exactly did you do (or not do) that was effective (or ineffective)?
    Adding -o PasswordAuthentication=no to the ssh client invocation has no 
effect, nor does manually specifying -i.

    Removing the line PermitEmptyPasswords, it takes ~250ms on my server.

* What outcome did you expect instead?
    I expect "PasswordAuthentication no" to mean PAM does not check anything 
about passwords, and to override "PermitEmptyPasswords yes"

I believe this would affect upstream, but I can't confirm.

-- System Information:
Debian Release: 11.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-20-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.77
ii  dpkg                   1.20.12
ii  libaudit1              1:3.0-2
ii  libc6                  2.31-13+deb11u6
ii  libcom-err2            1.46.2-2
ii  libcrypt1              1:4.4.18-4
ii  libgssapi-krb5-2       1.18.3-6+deb11u3
ii  libkrb5-3              1.18.3-6+deb11u3
ii  libpam-modules         1.4.0-9+deb11u1
ii  libpam-runtime         1.4.0-9+deb11u1
ii  libpam0g               1.4.0-9+deb11u1
ii  libselinux1            3.1-3
ii  libssl1.1              1.1.1n-0+deb11u4
ii  libsystemd0            247.3-7+deb11u2
ii  libwrap0               7.6.q-31
ii  lsb-base               11.1.0
ii  openssh-client         1:8.4p1-5+deb11u1
ii  openssh-sftp-server    1:8.4p1-5+deb11u1
ii  procps                 2:3.3.17-5
ii  runit-helper           2.10.3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2+deb11u2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  247.3-7+deb11u2
ii  ncurses-term             6.2+20201114-2+deb11u1
ii  xauth                    1:1.1-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information excluded

Reply via email to