I recently recalled a memory of when I had once, a fair while ago, accidentally tried to login to the wrong (mistyped) SSH server, and it allowed me access without the correct credentials: null authentication.
I thought nothing of it at the time, but thinking back: is this suspicious?
Is there a legitimate reason for this, or would this have been something malicious?
I am not at all worried for my own security now, just curious.
There are certainly legitimate reasons for this. Users only need to authenticate if you care about who they are. In the same way that some website or FTP servers require credentials to access and others are anonymously available, you can have the same thing for SSH servers (although it's rather less common).
And it could also be that the application running on the server performs some of its own authentication separate to the SSH protocol.
For instance, there are servers used to host games that allow anyone to SSH into them. The alt.org NetHack server allows anyone to SSH in with just the nethack username and no password (or even to connect over Telnet):
To play NetHack on this server, just telnet alt.org (on normal port 23 or port 14321) or ssh [email protected].
And then once you're connected, you're prompted to login to the game itself:
## nethack.alt.org - http://nethack.alt.org/ ## ## Games on this server are recorded for in-progress viewing and playback! Not logged in. l) Login r) Register new user w) Watch games in progress The other common instance where you'd see SSH servers accepting any (or empty) credentials would be a honeypot - which can be used both to find out what credentials attackers are trying, and what they do if they manage to successfully authenticate.
keyboard-interactive authentication until the login or lack thereof. Keyboard-interactive sends the whole field at once, to prevent keyboard timing attacks, and also can put the client OS in protected password entry mode. It depends on what you mean by "null authentication," whether this fits: I like this privacy demonstrator by Filippo Valsorda. It'll let anyone in, but points out that the server can look you up on GitHub by the public keys you sent it.
whoami.filippo.io
An ssh server that knows who you are.
Try it (it's harmless)
ssh whoami.filippo.ioED25519 key fingerprint is
SHA256:qGAqPqtlvFBCt4LfMME3IgJqZWlcrlBMxNmGjhLVYzY.
RSA key fingerprint isSHA256:O6zDQjQws92wQSA41wXusKquKMuugPVM/oBZXNmfyvI.
There is also the example of the ASCII cinema available at ssh starwarstel.net.
towel.blinkenlights.nl - good to see that it's still floating around. ssh -o IdentitiesOnly=yes -o IdentityFile=/dev/null whoami.filippo.io. The source code is in the GitHub repo I linked, though you have to take it on faith that Valsorda's server is running just that code. Another reason to allow null authentication is for an ssh honeypot. Any login triggers an alert that can help you know that someone's poking around your network looking for trouble.
One such honeypot is here sshesame.
A perfectly legitimate (and somewhat of a bad security practice) is to have no password on a brand new (or reset to factory defaults) networked device.
You power it up, you login with no password, you set password first and all other settings next.
Yes, you can use NULL auth if you have a public service which doesn't require any form of strong authentication. Not a regular SSH login to UNIX shell, but some uncommon form of service which still uses SSH protocol and its features.
See my public SSH jump host: https://ssh-j.com. You don't need a password or a key to use it.
Or, for example, SSH chat: https://shazow.net/posts/ssh-how-does-it-even/
