Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
problems with openssh-1.2.2 and pam_tacplus.so
domi at saargate
Feb 2, 2000, 12:58 PM
Post #1 of 4 (1203 views)
Permalink
Hello,

I have the following problem: I have installed openssh-1.2.2 on FreeBSD
3.4-RELEASE. I intentionally did not took the FreeBSD port because it does
not support PAM. My aim is to make sshd authenticate against a TACACS+
server using the pam_tacplus.so module shipped with FreeBSD. That works
perfectly with this line in my /etc/pam.conf:

login auth sufficient pam_tacplus.so


Accordingly, I set up pam.conf like this to make sshd do the same:

sshd auth required pam_tacplus.so


But all I get then from sshd is this:

su-2.03# /usr/local/sbin/sshd -d
debug: sshd version OpenSSH-1.2.2
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 212.88.133.252 port 1021
debug: Client protocol version 1.5; client software version OpenSSH-1.2.1
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "domi"
debug: Attempting authentication for domi.
Failed rsa for domi from 212.88.133.252 port 1021
debug: PAM Password authentication accepted for user "domi"
Accepted password for domi from 212.88.133.252 port 1021
debug: PAM setting rhost to "dominik.saargate.de"
PAM rejected by account configuration: Permission denied
Faking authloop for illegal user domi from 212.88.133.252 port 1021



I configured openssh with

./configure --with-tcp-wrappers --with-ipv4-default --with-md5-passwords


What can I do in order to make sshd work correctly?

--
Dominik - http://www.saargate.de/~domi/
Re: problems with openssh-1.2.2 and pam_tacplus.so [ In reply to ]
djm at mindrot
Feb 2, 2000, 5:27 PM
Post #2 of 4 (1202 views)
Permalink
On Wed, 2 Feb 2000, Dominik Brettnacher wrote:

> Hello,
>
> I have the following problem: I have installed openssh-1.2.2 on FreeBSD
> 3.4-RELEASE. I intentionally did not took the FreeBSD port because it does
> not support PAM. My aim is to make sshd authenticate against a TACACS+
> server using the pam_tacplus.so module shipped with FreeBSD. That works
> perfectly with this line in my /etc/pam.conf:
>
> login auth sufficient pam_tacplus.so
>
>
> Accordingly, I set up pam.conf like this to make sshd do the same:
>
> sshd auth required pam_tacplus.so

Is this you full PAM file for sshd? It looks like there are account
and session entries missing.

> PAM rejected by account configuration: Permission denied

What 'account' entries do you have for sshd? If there are none it
may be defaulting to deny.

Regards,
Damien Miller


--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)
Re: problems with openssh-1.2.2 and pam_tacplus.so [ In reply to ]
domi at saargate
Feb 2, 2000, 10:12 PM
Post #3 of 4 (1159 views)
Permalink
On Thu, 3 Feb 2000, djm@mindrot.org wrote:

> >> PAM rejected by account configuration: Permission denied
> What 'account' entries do you have for sshd? If there are none it
> may be defaulting to deny.

You were right, I did not set up any. Now my pam.conf looks like this:

sshd auth required pam_tacplus.so
sshd account required pam_unix.so try_first_pass
sshd password required pam_unix.so try_first_pass
sshd session required pam_unix.so try_first_pass


When I use "pam_permit.so" as the session module, I can login
successfully, but when trying pam_unix.so, I get these errors:

Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_chauthtok
Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_open_session
Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_close_session


I already linked libcrypt.so to sshd because I got error messages without.
But what is missing here?


--
Dominik - http://www.saargate.de/~domi/
Re: problems with openssh-1.2.2 and pam_tacplus.so [ In reply to ]
vorlon at netexpress
Feb 3, 2000, 8:39 AM
Post #4 of 4 (1166 views)
Permalink
On Thu, 3 Feb 2000, Dominik Brettnacher wrote:

> You were right, I did not set up any. Now my pam.conf looks like this:

> sshd auth required pam_tacplus.so
> sshd account required pam_unix.so try_first_pass
> sshd password required pam_unix.so try_first_pass
> sshd session required pam_unix.so try_first_pass

> When I use "pam_permit.so" as the session module, I can login
> successfully, but when trying pam_unix.so, I get these errors:

> Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_chauthtok
> Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_open_session
> Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_close_session

This seems to imply that the pam_unix.so module you're using is not compiled
to function as a password or session module. I really have no idea why this
is. It may be a problem specific to the FreeBSD port?

One thing you might try is to change the lines to read:

sshd auth required pam_tacplus.so
sshd account required pam_unix_account.so
sshd password required pam_unix_passwd.so try_first_pass
sshd session required pam_unix_session.so

If pam_unix is available as individual modules on your system.

Otherwise, pam_unix's session support is largely a no-op, and password
changing isn't crucial to sshd's proper functioning, so if all else fails you
could configure it as

sshd auth required pam_tacplus.so
sshd account required pam_unix_account.so
sshd password required pam_permit.so
sshd session required pam_permit.so

HTH,
Steve Langasek
postmodern programmer

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal