Jayarama Vijay Kumar
2004-Jun-15 09:14 UTC
ssh daemon fails to call pam when user does not exist in /etc/passwd
Hi We recenlty ugraded to openssh-3.7.1p2. Our architecture is ssh daemon uses pam module which sends request to remote radius/tacacs+ servers based on configuration. Now if I create the user in /etc/passwd, then ssh daemon calls pam and everthing works fine. But if the user is not present in /etc/passwd, then ssh daemon is not calling pam. The debug log is given below. All these were working in prior versions. Any idea why there is dependency on local user accounts ? I have also given sshd's pam file Any help is greatly appreciated vijay debug log ====== debug1: userauth-request for user jvijayku service ssh-connection method none debug1: attempt 0 failures 0 Illegal user jvijayku from 64.104.131.187 input_userauth_request: illegal user jvijayku debug1: PAM: initializing for "jvijayku" debug3: Trying to reverse map address 64.104.131.187. debug1: PAM: setting PAM_RHOST to "64.104.131.187" debug1: PAM: setting PAM_TTY to "ssh" debug2: input_userauth_request: try method none Failed none for illegal user jvijayku from 64.104.131.187 port 33729 ssh2 debug1: userauth-request for user jvijayku service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=jvijayku devsdebug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices <empty> debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 1 Postponed keyboard-interactive for illegal user jvijayku from 64.104.131.187 port 33729 ssh2 debug3: ssh_msg_recv entering PAM file ======# Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so auth required pam_env.so auth [authinfo_unavail=ignore auth_err=done success=done default=ok] /isan/lib/libpam_aaa_auth.so # Standard Un*x authentication. The "nullok" line allows passwordless # accounts. auth required pam_unix.so nullok likeauth try_first_pass account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok shadow md5 password required /lib/security/pam_deny.so
Damien Miller
2004-Jun-15 09:32 UTC
ssh daemon fails to call pam when user does not exist in /etc/passwd
Jayarama Vijay Kumar wrote:> Hi > We recenlty ugraded to openssh-3.7.1p2. Our architecture is > ssh daemon uses pam module which sends request to remote > radius/tacacs+ servers based on configuration. > Now if I create the user in /etc/passwd, then ssh daemon calls pam and > everthing works fine. > But if the user is not present in /etc/passwd, then ssh daemon is not > calling pam. The debug log is given below. All these were working in > prior versions. Any idea why there is dependency on local user accounts > ? I have also given sshd's pam fileThis behaviour is by-design and we don't have any intentions of changing it. If your non-local login system doesn't support getpw* it won't work with OpenSSH (we aren't unique in this position). If you want to support non-local accounts then you need to use some NSS system (e.g. NIS, LDAP or on-the-fly getpw synthesis). -d
Darren Tucker
2004-Jun-15 09:33 UTC
ssh daemon fails to call pam when user does not exist in /etc/passwd
Jayarama Vijay Kumar wrote:> We recenlty ugraded to openssh-3.7.1p2. Our architecture is > ssh daemon uses pam module which sends request to remote > radius/tacacs+ servers based on configuration. > Now if I create the user in /etc/passwd, then ssh daemon calls pam and > everthing works fine. > But if the user is not present in /etc/passwd, then ssh daemon is not > calling pam. The debug log is given below. All these were working in > prior versions. Any idea why there is dependency on local user accounts > ? I have also given sshd's pam fileI posted a patch for this a while back (attached). It's only been lightly tested but it's worth a try. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-chall2-no-leak.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040615/c6299c7a/attachment.ksh