Bug 719

Summary:

pam auth not working the same way

Product:

Portable OpenSSH

Reporter:

stevebalm2000

Component:

PAM support

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

normal

Priority:

Version:

-current

Hardware:

SPARC

OS:

Solaris

Attachments:

Description	Flags
Output from "sshd -p 30 -d -d -d"	none
Output from "sshd -p 30 -d -d -d"	none

Description stevebalm2000 2003-09-26 11:03:23 AEST

We recently upgraded from openssh-3.6.1p2 to openssh-3.7.1p2 and are now not
able to login.  We rely on PAM authentication and our PAM configuration looks
like this:

sshd	auth required   /usr/lib/security/$ISA/pam_krb54.so.1 get_k4_tgt

This pam module is home-grown and gets both Kerb5 and Kerb4 tickets.  I've tried
running sshd -d -d -d to figure out the problem here and I'm not sure what the
issue is.  I'll attach the debug output shortly.  Here is my /etc/ssh/sshd_config:

HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_dsa_key
LoginGraceTime 600
IgnoreRhosts no
IgnoreUserKnownHosts yes
X11Forwarding yes
SyslogFacility DAEMON
HostbasedAuthentication yes
RhostsRSAAuthentication yes
Subsystem	sftp	/usr/local/libexec/sftp-server

Where should I be looking to track this down?  Does my pam.conf need to be
updated for the new openssh?  Does my local pam need to be modified to work with
the new openssh?  Also, please let me know what other information would be
helpful in debugging this.

Thanks.

Comment 1 Jason McCormick 2003-09-26 11:13:06 AEST

Do you have "UsePam yes" in your sshd_config file?  3.7.1p2 by defeault
configuration now ships with PAM disabled.  You *must* specify "UsePam yes" in
your sshd_config for PAM to work with OpenSSH.  This is a change in the default
behavior between 3.7.1p1 and 3.7.1p2.

Comment 2 stevebalm2000 2003-09-26 11:14:43 AEST

Created attachment 469 [details]
Output from "sshd -p 30 -d -d -d"

I was able to login using v3.6.1p2

Comment 3 stevebalm2000 2003-09-26 11:17:10 AEST

Created attachment 470 [details]
Output from "sshd -p 30 -d -d -d"

I was not able to login using v3.7.1p2

Btw, here is uname -a info:

SunOS trouble 5.9 Generic_112233-08 sun4u sparc SUNW,Ultra-5_10

Comment 4 stevebalm2000 2003-09-26 11:24:27 AEST

I added "UsePAM yes" to sshd_config and now I get my PAM conversation prompt and
my login is successful.  The sshd_config that ships with 3.7.1p2 should be
updated to show that "UsePAM no" is the default now.

Is there any way to avoid the PAM conversation prompt and use the OpenSSH
password prompt as 3.6.1p2 used to do?

Comment 5 stevebalm2000 2003-09-26 12:24:44 AEST

Also, is it possible to use privilege separation and pam at the same time?

Comment 6 Damien Miller 2003-09-27 09:38:49 AEST

No, PAM is fundamentally a challenge-response system. The old password auth code
worked by ASSuMEing that there would only be a single prompt and that the prompt
would be for a password.

(FYI, The UsePAM entry in sshd_config has been corrected)

Comment 7 Darren Tucker 2003-11-19 23:32:16 AEDT

sshd_config has been updated with more info on UsePAM:

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no

BTW, UsePrivilegeSeparation should work fine with UsePAM.

Comment 8 Damien Miller 2004-04-14 12:24:19 AEST

Mass change of RESOLVED bugs to CLOSED