Bug 738

Summary: OpenSSH 3.7.1p2 Password Authentication Failure Through NIS+ on Non-Master Server
Product: Portable OpenSSH Reporter: Michael <bugtraq>
Component: PAM supportAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED INVALID    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: All   
OS: All   

Description Michael 2003-10-09 05:40:32 AEST 
I have openssh-3.7.1p2 with openssl-0.9.6k installed on Solaris 8.  Here is 
what I've been able to determine so far: 

1. Local account authentication works fine (non-NIS+).
1a. NIS+ is running at security level 2 
2. Telnet authentication works fine. 
2a. When I use the SSH client, from another UNIX machine, it works fine -- 
only windows SSH clients (I've tried SecureCRT and SSH.com's SSH client) have 
problems connecting. 3. nscd is not running (I stopped it for now, but I don't 
think it matters) 3a. PAM is enabled in my sshd_config (see below)
4. When I log in via telnet (for example), it works; and then I try
that same ID that wouldn't work originally via SSH, it then works!
5. When I log in to master server via SSH it works fine (it only doesn't work 
when I try to log into client servers). 6. When I try keyboard interactive 
authentication (instead of Password), it works, but it asks me TWICE for the 
login info (the first time fails, the second time succeeds).

TO SUMMARIZE: I have problems WHEN: I log in via SSH to the non-master NIS+ 
server with a non-local account (NIS+ account) with a Windows client 
via 'Password' authentication.  I'd love to see someone figure THIS ONE out... 

HELPFUL INFO ON POSSIBLY WHY THIS IS HAPPENING
-------------------------------------------------------------------------------
-----
Your Windows clients are using password authentication. That doesn't work with 
ssh 3.7.1p2 on Solaris because the sshd has to be able to read the encrypted 
password out of NIS+. But if you run NIS+ at security level 2 the user needs 
to authenticate to NIS+ first via an explicit or implicit keylogin in order 
to be able to read his/her own encrypted password. Other users are not able 
to read it and that includes the root user on NIS+ clients. One exception is 
the root user (or machine principal) of the NIS+ master, that's why it works 
there. If you succeed to login via telnet then the telnetd does a keylogin 
and then stores your key with the keyserver, that's why subsequent ssh logins 
work until you reboot the machine (or restart the keyserver). 

You should use PAM authentication via keyboard-interactive with your Windows 
clients. I don't know anything about the 2 clients you tried but I know that 
Putty works with protocol version 2 and keyboard-interactive (tried it 
myself). 
-------------------------------------------------------------------------------
-----

Here's my ./configure for openssh:

----------------------------------------------------------------------

configured by ./configure, generated by GNU Autoconf 2.52, 
  with options \"--prefix=/usr/openssh --with-pam --without-rsh
--with-pid-dir=/var/run --with-md5-passwords
--with-ssl-dir=/usr/local/ssl 
--with-mantype=man\"
----------------------------------------------------------------------


Here is my sshd.conf file:

----------------------------------------------------------------------

Port 22
Protocol 2 
#ListenAddress 0.0.0.0 
#ListenAddress :: 

# HostKey for protocol version 1
HostKey /usr/openssh/etc/ssh_host_key 
# HostKeys for protocol version 2 
HostKey /usr/openssh/etc/ssh_host_rsa_key 
HostKey /usr/openssh/etc/ssh_host_dsa_key 

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h 
ServerKeyBits 768 

# Logging
#obsoletes QuietMode and FascistLogging 
SyslogFacility AUTH 
LogLevel INFO 

# Authentication:

LoginGraceTime 2m
PermitRootLogin no 
#StrictModes yes 

#RSAAuthentication yes
#PubkeyAuthentication yes 
#AuthorizedKeysFile     .ssh/authorized_keys 

# For this to work you will also need host keys in
/usr/openssh/etc/ssh_known_hosts #RhostsRSAAuthentication no 
# similar for protocol version 2 
#HostbasedAuthentication no 
# Change to yes if you don't trust ~/.ssh/known_hosts for 
# RhostsRSAAuthentication and HostbasedAuthentication 
#IgnoreUserKnownHosts no 
# Don't read the user's ~/.rhosts and ~/.shosts files 
IgnoreRhosts yes 

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes 
#PermitEmptyPasswords no 

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes 

# Kerberos options
#KerberosAuthentication no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes 

# GSSAPI options
#GSSAPIAuthentication no 
#GSSAPICleanupCreds yes 

# Set this to 'yes' to enable PAM authentication (via
challenge-response) 
# and session processing. Depending on your PAM configuration, this
may 
# bypass the setting of 'PasswordAuthentication'
UsePAM yes 

#AllowTcpForwarding yes
#GatewayPorts no 
X11Forwarding yes 
#X11DisplayOffset 10 
#X11UseLocalhost yes 
PrintMotd yes 
#PrintLastLog yes 
KeepAlive yes 
#UseLogin no 
UsePrivilegeSeparation yes 
#PermitUserEnvironment no 
#Compression yes 
#ClientAliveInterval 0 
#ClientAliveCountMax 3 
#UseDNS yes 
PidFile /var/run/sshd.pid 
#MaxStartups 10 
# no default banner path 
#Banner /some/path 
# override default of no subsystems 
Subsystem       sftp    /usr/openssh/libexec/sftp-server 
----------------------------------------------------------------------
Comment 1 Darren Tucker 2003-11-19 23:47:44 AEDT 
From the description:
"TO SUMMARIZE: I have problems WHEN: I log in via SSH to the non-master NIS+ 
server with a non-local account (NIS+ account) with a Windows client 
via 'Password' authentication."

As of 3.7p1, PasswordAuthentication does not use PAM.  You need to use
ChallengeResponseAuthentication (and probably disable PasswordAuthentication).

It works on your NIS master server because getspnam and friends can get the
encrypted password directly from the shadow file, so PasswordAuthentication works.
Comment 2 Darren Tucker 2003-12-18 17:24:36 AEDT 
Since 3.7p1, even when UsePAM=yes, password authentication does not use PAM.

I suggest you set PasswordAuthentication to "no", this will prevent your Windows
clients from trying Password auth and (hopefully) switch to
keyboard-interactive, then close this bug.
Comment 3 Darren Tucker 2004-01-22 20:37:16 AEDT 
1 month no reply == closed bug.
Comment 4 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED