openssh unix dev - Apr 2004 - PAM_LDAP fails with 3.7.1p2 when Shadow password installed on HP-UX 11.11

Hello All,

We have been successfully using PAM_LDAP authentication with OpenSSH-3.6 on
our HP-UX 11.11. When OpenSSH-3.7.1p2 is installed [with Darrens' password
expiry patch 26], and when Shadow password bundle is installed on the
system, our ssh authentication failed. Even, when the source is compiled
without Darren's patch, the same bahaviour is seen and there is no success.

When Shadow password is uninstalled, LDAP auth works.

The error in sshd side we are getting is
"PAM: No account present for user" [please refer attached debug file]

I have installed OpenSSH-3.8 without any password expiry patch and that also
works with PAM_LDAP with Shadow passwords.
I am wondering why 3.7.1p2 alone do not work when 3.6, and 3.8 works.
Both 3.7 and 3.8 have the following macros in config.h

#undef DISABLE_SHADOW
#define HAS_SHADOW_EXPIRE 1
#define HAVE_SHADOW_H 1
#define HAVE_SECURITY_PAM_APPL_H 1
#define USE_PAM 1
#define PAM_SUN_CODEBASE 1
#define HAVE_LIBPAM 1
/* #undef PAM_TTY_KLUDGE */
/* #undef HAVE_OLD_PAM */
/* #undef HAVE_PAM_GETENVLIST */
/* #undef HAVE_PAM_PUTENV */

Some more info on the PAM_LDAP library used on the system.

When Shadow password bundle is installed on the system, shadow file enable
and disable command is installed on "/usr/sbin/pwunconv" and
"/usr/sbin/pwconv". PAM_LDAP library checks this and particularly when
"/usr/sbin/pwunconv" is removed, LDAP auth works.

Is there any chance that the problem is in checking the return status of the
PAM APIs in 3.7.1p2?

I have attached the "sshd -ddd" file with this mail.

Advance thanks,
Kumaresh.






---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004

Kumaresh wrote:
> We have been successfully using PAM_LDAP authentication with OpenSSH-3.6 on
> our HP-UX 11.11. When OpenSSH-3.7.1p2 is installed [with Darrens'
password
> expiry patch 26], and when Shadow password bundle is installed on the
> system, our ssh authentication failed. Even, when the source is compiled
> without Darren's patch, the same bahaviour is seen and there is no
success.
> 
> When Shadow password is uninstalled, LDAP auth works.
3.6x had some HP-UX specific code for the Trusted Mode case (using 
getprpwnam), and didn't use the shadow calls (getspnam).

3.7.1p2 uses the shadow calls on HPUX, but has a bug for the Trusted 
Mode case, which was fixed for 3.8p1.

Maybe the shadow password bundle + LDAP has the same problem with 3.7x 
as Trusted Mode did?
> The error in sshd side we are getting is
> "PAM: No account present for user" [please refer attached debug
file]
The debug file is missing (filtered?)  This looks like an error returned 
by PAM, though, not sure why.
> I have installed OpenSSH-3.8 without any password expiry patch and that
also
> works with PAM_LDAP with Shadow passwords.
> I am wondering why 3.7.1p2 alone do not work when 3.6, and 3.8 works.
> Both 3.7 and 3.8 have the following macros in config.h
[...]
> Is there any chance that the problem is in checking the return status of
the
> PAM APIs in 3.7.1p2?
There were a few minor improvements to PAM, it's possible one of those 
makes a difference.  (PAM is something of a black box, sometimes little 
things make a difference for no apparent reason).

If 3.8p1 works properly, I wouldn't put too much effort into tracking 
down the exact cause, though...

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.