How to test if ssh server allows passwords?

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

1

I want to test whether or not an ssh server allows passwords and immediately close the connection without actually attempting a login.

Something like this:

allows_password=$(ssh --some-option example.com)
if [ -z "$allows_password" ]; then
 echo "Insecure Server Options"
else
 echo "Insecure Password Access is not Allowed, Great!"
fi

I've actually done this once before, but I couldn't find old script or docs. Sad day. :-/

ssh security password

share|improve this question

asked 5 hours ago

CoolAJ86

2691313

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Are you sure? The ssh server can be configured to allow passwords for some users but not others. So you at least have to send a username to the server. At that point it will attempt to authenticate you...
  – Michael Hampton♦
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  ssh -v will output debug1: Authentications that can continue: publickey,password, however @MichaelHampton is right, its dependent on user. Some form of ansible/puppet to enforce practices would suite you better.
  – danblack
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm developing telebit.cloud, which enables remote access via ssh, among other things. People typically have very poor passwords on their personal computers, so I want to make sure I have a way to test for bad defaults and display a warning, in addition to checking /etc/ssh/sshd_config.
  – CoolAJ86
  4 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

favorite

1

I want to test whether or not an ssh server allows passwords and immediately close the connection without actually attempting a login.

Something like this:

allows_password=$(ssh --some-option example.com)
if [ -z "$allows_password" ]; then
 echo "Insecure Server Options"
else
 echo "Insecure Password Access is not Allowed, Great!"
fi

I've actually done this once before, but I couldn't find old script or docs. Sad day. :-/

ssh security password

share|improve this question

asked 5 hours ago

CoolAJ86

2691313

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Are you sure? The ssh server can be configured to allow passwords for some users but not others. So you at least have to send a username to the server. At that point it will attempt to authenticate you...
  – Michael Hampton♦
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  ssh -v will output debug1: Authentications that can continue: publickey,password, however @MichaelHampton is right, its dependent on user. Some form of ansible/puppet to enforce practices would suite you better.
  – danblack
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm developing telebit.cloud, which enables remote access via ssh, among other things. People typically have very poor passwords on their personal computers, so I want to make sure I have a way to test for bad defaults and display a warning, in addition to checking /etc/ssh/sshd_config.
  – CoolAJ86
  4 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

favorite

1

up vote
1
down vote

favorite

1

1

I want to test whether or not an ssh server allows passwords and immediately close the connection without actually attempting a login.

Something like this:

allows_password=$(ssh --some-option example.com)
if [ -z "$allows_password" ]; then
 echo "Insecure Server Options"
else
 echo "Insecure Password Access is not Allowed, Great!"
fi

I've actually done this once before, but I couldn't find old script or docs. Sad day. :-/

ssh security password

share|improve this question

asked 5 hours ago

CoolAJ86

2691313

I want to test whether or not an ssh server allows passwords and immediately close the connection without actually attempting a login.

Something like this:

allows_password=$(ssh --some-option example.com)
if [ -z "$allows_password" ]; then
 echo "Insecure Server Options"
else
 echo "Insecure Password Access is not Allowed, Great!"
fi

I've actually done this once before, but I couldn't find old script or docs. Sad day. :-/

ssh security password

ssh security password

share|improve this question

asked 5 hours ago

CoolAJ86

2691313

share|improve this question

asked 5 hours ago

CoolAJ86

2691313

share|improve this question

share|improve this question

asked 5 hours ago

CoolAJ86

2691313

asked 5 hours ago

CoolAJ86

2691313

asked 5 hours ago

CoolAJ86

2691313

2691313

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Are you sure? The ssh server can be configured to allow passwords for some users but not others. So you at least have to send a username to the server. At that point it will attempt to authenticate you...
  – Michael Hampton♦
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  ssh -v will output debug1: Authentications that can continue: publickey,password, however @MichaelHampton is right, its dependent on user. Some form of ansible/puppet to enforce practices would suite you better.
  – danblack
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm developing telebit.cloud, which enables remote access via ssh, among other things. People typically have very poor passwords on their personal computers, so I want to make sure I have a way to test for bad defaults and display a warning, in addition to checking /etc/ssh/sshd_config.
  – CoolAJ86
  4 hours ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  Are you sure? The ssh server can be configured to allow passwords for some users but not others. So you at least have to send a username to the server. At that point it will attempt to authenticate you...
  – Michael Hampton♦
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  ssh -v will output debug1: Authentications that can continue: publickey,password, however @MichaelHampton is right, its dependent on user. Some form of ansible/puppet to enforce practices would suite you better.
  – danblack
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I'm developing telebit.cloud, which enables remote access via ssh, among other things. People typically have very poor passwords on their personal computers, so I want to make sure I have a way to test for bad defaults and display a warning, in addition to checking /etc/ssh/sshd_config.
  – CoolAJ86
  4 hours ago
  

  
  
  
  

1

1

Are you sure? The ssh server can be configured to allow passwords for some users but not others. So you at least have to send a username to the server. At that point it will attempt to authenticate you...
– Michael Hampton♦
5 hours ago

Are you sure? The ssh server can be configured to allow passwords for some users but not others. So you at least have to send a username to the server. At that point it will attempt to authenticate you...
– Michael Hampton♦
5 hours ago

1

1

ssh -v will output debug1: Authentications that can continue: publickey,password, however @MichaelHampton is right, its dependent on user. Some form of ansible/puppet to enforce practices would suite you better.
– danblack
5 hours ago

ssh -v will output debug1: Authentications that can continue: publickey,password, however @MichaelHampton is right, its dependent on user. Some form of ansible/puppet to enforce practices would suite you better.
– danblack
5 hours ago

I'm developing telebit.cloud, which enables remote access via ssh, among other things. People typically have very poor passwords on their personal computers, so I want to make sure I have a way to test for bad defaults and display a warning, in addition to checking /etc/ssh/sshd_config.
– CoolAJ86
4 hours ago

I'm developing telebit.cloud, which enables remote access via ssh, among other things. People typically have very poor passwords on their personal computers, so I want to make sure I have a way to test for bad defaults and display a warning, in addition to checking /etc/ssh/sshd_config.
– CoolAJ86
4 hours ago

add a comment | 

1 Answer
1

active

oldest

votes

up vote
2
down vote

I found my old script:

ssh -v -n 
 -o Batchmode=yes 
 -o StrictHostKeyChecking=no 
 -o UserKnownHostsFile=/dev/null 
 DOES_NOT_EXIST@localhost 2>&1 | grep password

• The -o Batchmode=yes option causes a non-interactive mode where a fallback to password results in failure.




• The -v causes the authentication methods to be displayed.




• The -n causes ssh to not open a shell (often used with tunneling), which in this case will cause it to immediately exit (just in case you're connecting to a honeypot or a service like serveo.net that allows clients without authentication)




• -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null automatically accepts the host without writing it to the known-hosts file.




• 2>&1 forwards debug messages (stderr) to the logging system (stdout) so that grep can do its magic

If password authentication is enabled for some users, it will shows as enabled for all users (but fail after the prompt), as far as I can tell. I suspect this is so that you can't positively id that a user exists on the system.

And so that I don't lose it again: https://coolaj86.com/articles/testing-if-ssh-allows-passwords/

share|improve this answer

edited 1 hour ago

answered 5 hours ago

CoolAJ86

2691313

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938149%2fhow-to-test-if-ssh-server-allows-passwords%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

I found my old script:

ssh -v -n 
 -o Batchmode=yes 
 -o StrictHostKeyChecking=no 
 -o UserKnownHostsFile=/dev/null 
 DOES_NOT_EXIST@localhost 2>&1 | grep password

• The -o Batchmode=yes option causes a non-interactive mode where a fallback to password results in failure.




• The -v causes the authentication methods to be displayed.




• The -n causes ssh to not open a shell (often used with tunneling), which in this case will cause it to immediately exit (just in case you're connecting to a honeypot or a service like serveo.net that allows clients without authentication)




• -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null automatically accepts the host without writing it to the known-hosts file.




• 2>&1 forwards debug messages (stderr) to the logging system (stdout) so that grep can do its magic

If password authentication is enabled for some users, it will shows as enabled for all users (but fail after the prompt), as far as I can tell. I suspect this is so that you can't positively id that a user exists on the system.

And so that I don't lose it again: https://coolaj86.com/articles/testing-if-ssh-allows-passwords/

share|improve this answer

edited 1 hour ago

answered 5 hours ago

CoolAJ86

2691313

add a comment | 

up vote
2
down vote

I found my old script:

ssh -v -n 
 -o Batchmode=yes 
 -o StrictHostKeyChecking=no 
 -o UserKnownHostsFile=/dev/null 
 DOES_NOT_EXIST@localhost 2>&1 | grep password

• The -o Batchmode=yes option causes a non-interactive mode where a fallback to password results in failure.




• The -v causes the authentication methods to be displayed.




• The -n causes ssh to not open a shell (often used with tunneling), which in this case will cause it to immediately exit (just in case you're connecting to a honeypot or a service like serveo.net that allows clients without authentication)




• -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null automatically accepts the host without writing it to the known-hosts file.




• 2>&1 forwards debug messages (stderr) to the logging system (stdout) so that grep can do its magic

If password authentication is enabled for some users, it will shows as enabled for all users (but fail after the prompt), as far as I can tell. I suspect this is so that you can't positively id that a user exists on the system.

And so that I don't lose it again: https://coolaj86.com/articles/testing-if-ssh-allows-passwords/

share|improve this answer

edited 1 hour ago

answered 5 hours ago

CoolAJ86

2691313

add a comment | 

up vote
2
down vote

up vote
2
down vote

I found my old script:

ssh -v -n 
 -o Batchmode=yes 
 -o StrictHostKeyChecking=no 
 -o UserKnownHostsFile=/dev/null 
 DOES_NOT_EXIST@localhost 2>&1 | grep password

• The -o Batchmode=yes option causes a non-interactive mode where a fallback to password results in failure.




• The -v causes the authentication methods to be displayed.




• The -n causes ssh to not open a shell (often used with tunneling), which in this case will cause it to immediately exit (just in case you're connecting to a honeypot or a service like serveo.net that allows clients without authentication)




• -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null automatically accepts the host without writing it to the known-hosts file.




• 2>&1 forwards debug messages (stderr) to the logging system (stdout) so that grep can do its magic

If password authentication is enabled for some users, it will shows as enabled for all users (but fail after the prompt), as far as I can tell. I suspect this is so that you can't positively id that a user exists on the system.

And so that I don't lose it again: https://coolaj86.com/articles/testing-if-ssh-allows-passwords/

share|improve this answer

edited 1 hour ago

answered 5 hours ago

CoolAJ86

2691313

I found my old script:

ssh -v -n 
 -o Batchmode=yes 
 -o StrictHostKeyChecking=no 
 -o UserKnownHostsFile=/dev/null 
 DOES_NOT_EXIST@localhost 2>&1 | grep password

• The -o Batchmode=yes option causes a non-interactive mode where a fallback to password results in failure.




• The -v causes the authentication methods to be displayed.




• The -n causes ssh to not open a shell (often used with tunneling), which in this case will cause it to immediately exit (just in case you're connecting to a honeypot or a service like serveo.net that allows clients without authentication)




• -o StrictHostKeyChecking=no and -o UserKnownHostsFile=/dev/null automatically accepts the host without writing it to the known-hosts file.




• 2>&1 forwards debug messages (stderr) to the logging system (stdout) so that grep can do its magic

If password authentication is enabled for some users, it will shows as enabled for all users (but fail after the prompt), as far as I can tell. I suspect this is so that you can't positively id that a user exists on the system.

And so that I don't lose it again: https://coolaj86.com/articles/testing-if-ssh-allows-passwords/

share|improve this answer

edited 1 hour ago

answered 5 hours ago

CoolAJ86

2691313

share|improve this answer

share|improve this answer

edited 1 hour ago

edited 1 hour ago

edited 1 hour ago

answered 5 hours ago

CoolAJ86

2691313

answered 5 hours ago

CoolAJ86

2691313

answered 5 hours ago

CoolAJ86

2691313

2691313

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938149%2fhow-to-test-if-ssh-server-allows-passwords%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email