Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 719] pam auth not working the same way
bugzilla-daemon at mindrot
Sep 25, 2003, 5:03 PM
Post #1 of 7 (731 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=719

Summary: pam auth not working the same way
Product: Portable OpenSSH
Version: -current
Platform: Sparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: stevebalm2000@yahoo.com


We recently upgraded from openssh-3.6.1p2 to openssh-3.7.1p2 and are now not
able to login. We rely on PAM authentication and our PAM configuration looks
like this:

sshd auth required /usr/lib/security/$ISA/pam_krb54.so.1 get_k4_tgt

This pam module is home-grown and gets both Kerb5 and Kerb4 tickets. I've tried
running sshd -d -d -d to figure out the problem here and I'm not sure what the
issue is. I'll attach the debug output shortly. Here is my /etc/ssh/sshd_config:

HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_dsa_key
LoginGraceTime 600
IgnoreRhosts no
IgnoreUserKnownHosts yes
X11Forwarding yes
SyslogFacility DAEMON
HostbasedAuthentication yes
RhostsRSAAuthentication yes
Subsystem sftp /usr/local/libexec/sftp-server

Where should I be looking to track this down? Does my pam.conf need to be
updated for the new openssh? Does my local pam need to be modified to work with
the new openssh? Also, please let me know what other information would be
helpful in debugging this.

Thanks.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 719] pam auth not working the same way [ In reply to ]
bugzilla-daemon at mindrot
Sep 25, 2003, 5:13 PM
Post #2 of 7 (722 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=719





------- Additional Comments From jason@devrandom.org 2003-09-26 11:13 -------
Do you have "UsePam yes" in your sshd_config file? 3.7.1p2 by defeault
configuration now ships with PAM disabled. You *must* specify "UsePam yes" in
your sshd_config for PAM to work with OpenSSH. This is a change in the default
behavior between 3.7.1p1 and 3.7.1p2.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 719] pam auth not working the same way [ In reply to ]
bugzilla-daemon at mindrot
Sep 25, 2003, 5:14 PM
Post #3 of 7 (718 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=719





------- Additional Comments From stevebalm2000@yahoo.com 2003-09-26 11:14 -------
Created an attachment (id=469)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=469&action=view)
Output from "sshd -p 30 -d -d -d"

I was able to login using v3.6.1p2



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 719] pam auth not working the same way [ In reply to ]
bugzilla-daemon at mindrot
Sep 25, 2003, 5:17 PM
Post #4 of 7 (716 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=719





------- Additional Comments From stevebalm2000@yahoo.com 2003-09-26 11:17 -------
Created an attachment (id=470)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=470&action=view)
Output from "sshd -p 30 -d -d -d"

I was not able to login using v3.7.1p2

Btw, here is uname -a info:

SunOS trouble 5.9 Generic_112233-08 sun4u sparc SUNW,Ultra-5_10



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 719] pam auth not working the same way [ In reply to ]
bugzilla-daemon at mindrot
Sep 25, 2003, 5:24 PM
Post #5 of 7 (728 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=719





------- Additional Comments From stevebalm2000@yahoo.com 2003-09-26 11:24 -------
I added "UsePAM yes" to sshd_config and now I get my PAM conversation prompt and
my login is successful. The sshd_config that ships with 3.7.1p2 should be
updated to show that "UsePAM no" is the default now.

Is there any way to avoid the PAM conversation prompt and use the OpenSSH
password prompt as 3.6.1p2 used to do?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 719] pam auth not working the same way [ In reply to ]
bugzilla-daemon at mindrot
Sep 25, 2003, 6:24 PM
Post #6 of 7 (726 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=719





------- Additional Comments From stevebalm2000@yahoo.com 2003-09-26 12:24 -------
Also, is it possible to use privilege separation and pam at the same time?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 719] pam auth not working the same way [ In reply to ]
bugzilla-daemon at mindrot
Sep 26, 2003, 3:38 PM
Post #7 of 7 (719 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=719





------- Additional Comments From djm@mindrot.org 2003-09-27 09:38 -------
No, PAM is fundamentally a challenge-response system. The old password auth code
worked by ASSuMEing that there would only be a single prompt and that the prompt
would be for a password.

(FYI, The UsePAM entry in sshd_config has been corrected)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal