Bug 719 - pam auth not working the same way
Summary: pam auth not working the same way
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: -current
Hardware: SPARC Solaris
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-26 11:03 AEST by stevebalm2000
Modified: 2004-04-14 12:24 AEST (History)
0 users

See Also:

Attachments
Output from "sshd -p 30 -d -d -d" (9.66 KB, text/plain)
2003-09-26 11:14 AEST, stevebalm2000 		no flags Details
Output from "sshd -p 30 -d -d -d" (5.32 KB, text/plain)
2003-09-26 11:17 AEST, stevebalm2000 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description stevebalm2000 2003-09-26 11:03:23 AEST 
We recently upgraded from openssh-3.6.1p2 to openssh-3.7.1p2 and are now not
able to login.  We rely on PAM authentication and our PAM configuration looks
like this:

sshd	auth required   /usr/lib/security/$ISA/pam_krb54.so.1 get_k4_tgt

This pam module is home-grown and gets both Kerb5 and Kerb4 tickets.  I've tried
running sshd -d -d -d to figure out the problem here and I'm not sure what the
issue is.  I'll attach the debug output shortly.  Here is my /etc/ssh/sshd_config:

HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_dsa_key
LoginGraceTime 600
IgnoreRhosts no
IgnoreUserKnownHosts yes
X11Forwarding yes
SyslogFacility DAEMON
HostbasedAuthentication yes
RhostsRSAAuthentication yes
Subsystem	sftp	/usr/local/libexec/sftp-server

Where should I be looking to track this down?  Does my pam.conf need to be
updated for the new openssh?  Does my local pam need to be modified to work with
the new openssh?  Also, please let me know what other information would be
helpful in debugging this.

Thanks.
Comment 1 Jason McCormick 2003-09-26 11:13:06 AEST 
Do you have "UsePam yes" in your sshd_config file?  3.7.1p2 by defeault
configuration now ships with PAM disabled.  You *must* specify "UsePam yes" in
your sshd_config for PAM to work with OpenSSH.  This is a change in the default
behavior between 3.7.1p1 and 3.7.1p2.
Comment 2 stevebalm2000 2003-09-26 11:14:43 AEST 
Created attachment 469 [details]
Output from "sshd -p 30 -d -d -d"

I was able to login using v3.6.1p2
Comment 3 stevebalm2000 2003-09-26 11:17:10 AEST 
Created attachment 470 [details]
Output from "sshd -p 30 -d -d -d"

I was not able to login using v3.7.1p2

Btw, here is uname -a info:

SunOS trouble 5.9 Generic_112233-08 sun4u sparc SUNW,Ultra-5_10
Comment 4 stevebalm2000 2003-09-26 11:24:27 AEST 
I added "UsePAM yes" to sshd_config and now I get my PAM conversation prompt and
my login is successful.  The sshd_config that ships with 3.7.1p2 should be
updated to show that "UsePAM no" is the default now.

Is there any way to avoid the PAM conversation prompt and use the OpenSSH
password prompt as 3.6.1p2 used to do?
Comment 5 stevebalm2000 2003-09-26 12:24:44 AEST 
Also, is it possible to use privilege separation and pam at the same time?
Comment 6 Damien Miller 2003-09-27 09:38:49 AEST 
No, PAM is fundamentally a challenge-response system. The old password auth code
worked by ASSuMEing that there would only be a single prompt and that the prompt
would be for a password.

(FYI, The UsePAM entry in sshd_config has been corrected)
Comment 7 Darren Tucker 2003-11-19 23:32:16 AEDT 
sshd_config has been updated with more info on UsePAM:

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no

BTW, UsePrivilegeSeparation should work fine with UsePAM.
Comment 8 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED