Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers
bugzilla-daemon at mindrot
Sep 21, 2003, 10:02 AM
Post #1 of 12 (1408 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696

Summary: PAM modules getting bypassed when connecting from f-
secure ssh client to openssh 3.7p1 or 3.7.1p1 servers
Product: Portable OpenSSH
Version: 3.7.1p1
Platform: Sparc
OS/Version: Solaris
Status: NEW
Severity: minor
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: swamitj@yahoo.com


Openssh 3.7.1p1 and 3.7p1 were complied with PAM support. When we try to
connect in(to the openssh 3.7.1p1/3.7p1 server) from F-Secure ssh clients the
PAM modules are totally getting bypassed. Is there a way to fix this?

However there are no problems connecting in from Openssh clients(PAM works
fine)

The options that were used here were similar to the options used to compile
openssh 3.6p1. No problems are encountered when connecting to a 3.6p1 server
either from openssh client or a f-secure ssh client.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 21, 2003, 4:09 PM
Post #2 of 12 (1389 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME



------- Additional Comments From djm@mindrot.org 2003-09-22 10:09 -------
Read the comment next to UsePAM in sshd_config.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 21, 2003, 5:32 PM
Post #3 of 12 (1394 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696

swamitj@yahoo.com changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |



------- Additional Comments From swamitj@yahoo.com 2003-09-22 11:31 -------
PasswordAuthentication is set to no and
UsePAM is set to yes on the sshd_config file

Running sshd in debug mode while trying to connect in , shows PAM modules
being invoked while coming in from openssh clients but not from f-secure.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 21, 2003, 5:39 PM
Post #4 of 12 (1391 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From dtucker@zip.com.au 2003-09-22 11:39 -------
Are your F-Secure clients configured to use keyboard-interactive authentication?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 21, 2003, 5:51 PM
Post #5 of 12 (1396 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From jason@devrandom.org 2003-09-22 11:51 -------
F-Secure SSH client for me (on OpenVMS) works fine with UsePAM=yes and
PasswordAuthentication=no for the ssh client:

SYS$ ssh2 "jmccormick@rowan"
Keyboard-interactive:
Password:

Authentication successful.
[jmccormick@rowan jmccormick]$

My F-Secure install by default seems to be using keyboard-interactive as I'm not
explicitly enabling it anywhere.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 21, 2003, 6:37 PM
Post #6 of 12 (1397 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From swamitj@yahoo.com 2003-09-22 12:37 -------
Yes the clients are configured to use keyboard-interactive. The same client
connects fine to a 3.6p1 server(no problems with PAM) but has problems talking
with 3.7p1 or 3.7.1p1.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 5:21 AM
Post #7 of 12 (1395 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From swamitj@yahoo.com 2003-09-22 23:21 -------
The same problem has been noticed on Secure CRT and Putty clients as well. The
only client that seems to work so far is the openssh client.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 23, 2003, 6:43 AM
Post #8 of 12 (1395 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696

swamitj@yahoo.com changed:

What |Removed |Added
----------------------------------------------------------------------------
Severity|minor |major





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 23, 2003, 1:25 PM
Post #9 of 12 (1397 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From djm@mindrot.org 2003-09-24 07:25 -------
you will have to provide more evidence. A debug trace from the server perhaps?

Are you using 3.7.1p2?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 23, 2003, 1:54 PM
Post #10 of 12 (1391 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From swamitj@yahoo.com 2003-09-24 07:54 -------
Created an attachment (id=463)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=463&action=view)
Debug output from the server and verbose o/p from the client side(both f-secure
and openssh)

Yes we upgraded to 3.7.1p2 and the problem still persists. Setting UsePAM to
yes and PasswordAuthentication to no the f-secure client is not able to login
to the machine at all.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 23, 2003, 2:12 PM
Post #11 of 12 (1389 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #463|application/octet-stream |text/plain
mime type| |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers [ In reply to ]
bugzilla-daemon at mindrot
Sep 23, 2003, 2:15 PM
Post #12 of 12 (1395 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=696

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |WORKSFORME



------- Additional Comments From djm@mindrot.org 2003-09-24 08:15 -------
You are not even trying challenge response authentication. Try connecting using
ssh protocol 2 or looking for a f-secure option "tisauthentication" or similar
to enable challenge-response for protocol 1.

This does work (it has been tested by a number of developers) - the problem is
at the client.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal