696 – PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers

Bug 696 - PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers

Summary: PAM modules getting bypassed when connecting from f-secure ssh client to open...

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	PAM support (show other bugs)
Version:	3.7.1p1
Hardware:	SPARC Solaris

Importance:	P2 major
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-09-22 04:02 AEST by Swami
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
Debug output from the server and verbose o/p from the client side(both f-secure and openssh) (12.26 KB, text/plain) 2003-09-24 07:54 AEST, Swami	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Swami 2003-09-22 04:02:55 AEST

Openssh 3.7.1p1 and 3.7p1 were complied with PAM support. When we try to 
connect in(to the openssh 3.7.1p1/3.7p1 server)  from F-Secure ssh clients the 
PAM modules are totally getting bypassed. Is there a way to fix this?

 However there are no problems connecting in from Openssh clients(PAM  works 
fine)

The options that were used here were similar to the options used to compile 
openssh 3.6p1. No problems are encountered when connecting to a 3.6p1 server 
either from openssh client or a f-secure ssh client.

Comment 1 Damien Miller 2003-09-22 10:09:44 AEST

Read the comment next to UsePAM in sshd_config.

Comment 2 Swami 2003-09-22 11:31:59 AEST

PasswordAuthentication is set to no and
UsePAM is set to yes on the sshd_config file

Running sshd in debug mode while trying to connect in , shows PAM modules 
being invoked while coming in from openssh clients but not from f-secure.

Comment 3 Darren Tucker 2003-09-22 11:39:09 AEST

Are your F-Secure clients configured to use keyboard-interactive authentication?

Comment 4 Jason McCormick 2003-09-22 11:51:38 AEST

F-Secure SSH client for me (on OpenVMS) works fine with UsePAM=yes and
PasswordAuthentication=no for the ssh client:

SYS$  ssh2 "jmccormick@rowan"
Keyboard-interactive:
Password:

Authentication successful.
[jmccormick@rowan jmccormick]$

My F-Secure install by default seems to be using keyboard-interactive as I'm not
explicitly enabling it anywhere.

Comment 5 Swami 2003-09-22 12:37:52 AEST

Yes the clients are configured to use keyboard-interactive. The same client 
connects fine to a 3.6p1 server(no problems with PAM) but has problems talking 
with 3.7p1 or 3.7.1p1.

Comment 6 Swami 2003-09-22 23:21:16 AEST

The same problem has been noticed on Secure CRT and Putty clients as well. The 
only client that seems to work so far is the openssh client.

Comment 7 Damien Miller 2003-09-24 07:25:33 AEST

you will have to provide more evidence. A debug trace from the server perhaps?

Are you using 3.7.1p2?

Comment 8 Swami 2003-09-24 07:54:49 AEST

Created attachment 463 [details]
Debug output from the server and verbose o/p from the client side(both f-secure and openssh)

Yes we upgraded to 3.7.1p2 and the problem still persists. Setting UsePAM to
yes and PasswordAuthentication to no the f-secure client is not able to login
to the machine at all.

Comment 9 Damien Miller 2003-09-24 08:15:05 AEST

You are not even trying challenge response authentication. Try connecting using
ssh protocol 2 or looking for a f-secure option "tisauthentication" or similar
to enable challenge-response for protocol 1.

This does work (it has been tested by a number of developers) - the problem is
at the client.

Comment 10 Damien Miller 2004-04-14 12:24:19 AEST

Mass change of RESOLVED bugs to CLOSED