openssh bugs - Sep 2004 - [Bug 936] S/Key authentication fails if UsePAM=no

http://bugzilla.mindrot.org/show_bug.cgi?id=936

           Summary: S/Key authentication fails if UsePAM=no
           Product: Portable OpenSSH
           Version: -current
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: ulm at kph.uni-mainz.de


sshd of openssh-3.9_p1 behaves differently if PAM is switched off
either during compile time (see "A" below) or via configuration file
(see "B" below). Login via S/Key challenge-response authentication
succeeds in case A, but fails in case B.

Steps to Reproduce (case A):
1. Compile and install sshd with configuration "A" (see below)
2. Install sshd_config (see below)
3. ssh from remote machine

Actual Results (case A):
   $ ssh user at host
   otp-md5 89 foo1234567
   S/Key Password: 
   [... login succeeds, as expected]

Steps to Reproduce (case B):
1. Compile and install sshd with configuration "B"
2. Install sshd_config
3. ssh from remote machine

Actual Results (case B):
   [No password prompt appears and login is immediately refused:]
   $ ssh user at host
   Permission denied (publickey,keyboard-interactive).
   $ 

Expected Results:
The behaviour of sshd should be identical in cases A and B
(and should be as in case A).

Configuration (case A):
  $ ./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man
  --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
  --localstatedir=/var/lib --sysconfdir=/etc/ssh --libexecdir=/usr/lib/misc
  --datadir=/usr/share/openssh --disable-suid-ssh
  --with-privsep-path=/var/empty --with-privsep-user=sshd --with-md5-passwords
  --without-kerberos5 --with-tcp-wrappers --with-skey --without-opensc
  --with-ipv4-default --without-pam

Configuration (case B):
  as in case A, but last option replaced by "--with-pam"

/etc/ssh/sshd_config (identical for both cases; contains only 3 lines):
  Protocol 2
  PasswordAuthentication no
  UsePAM no

I have also reported this as Gentoo bug:
<http://bugs.gentoo.org/show_bug.cgi?id=65343>



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From ulm at kph.uni-mainz.de  2004-09-28 16:23
-------
Created an attachment (id=720)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=720&action=view)
Debug output from server log (case B)

The last lines of the "sshd -ddd" log show output from
sshpam_init_ctx,
in spite of UsePAM being switched off.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From ulm at kph.uni-mainz.de  2004-09-28 16:24
-------
Created an attachment (id=721)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=721&action=view)
Proposed patch for auth2-chall.c




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
    Attachment #721|                            |ok
             Status|                            |



------- Additional Comments From dtucker at zip.com.au  2004-10-06 23:49 -------
(From update of attachment 721)
Looks OK to me, debug log indicates it's working (but I don't have skey
set
up).




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From djm at mindrot.org  2004-10-07 11:37 -------
hm, maybe it would be better to never include "pam" in the list of
kbd-int
submethods if !use_pam. I.e. build the lists in auth2-kbdint.c using
ServerOptions



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From djm at mindrot.org  2004-10-07 11:49 -------
Could you send a client ("ssh -vvv") trace as well? 

I think the diff is incorrect: it just avoids the ssh code, but we should be
falling back to the next method. The fact that there are PAM lines in the server
output shouldn't matter, kbd-int should try other methods.

As a workaround, you can try "ssh -oKbdInteractiveDevices=skey" to
prefer skey
authentication.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From ulm at kph.uni-mainz.de  2004-10-07 16:55
-------
Created an attachment (id=723)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=723&action=view)
ssh -vvv output (original sshd)

Here is the output from "ssh -vvv" for the unpatched sshd.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From ulm at kph.uni-mainz.de  2004-10-07 16:57
-------
Created an attachment (id=724)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=724&action=view)
ssh -vvv output (sshd with patch from attachment 721 applied)

And here is the "ssh -vvv" output for the patched sshd.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From ulm at kph.uni-mainz.de  2004-10-07 17:14
-------
Concerning comment 4:
> hm, maybe it would be better to never include "pam" in the list
of
> kbd-int submethods if !use_pam. I.e. build the lists in auth2-kbdint.c
> using ServerOptions
I thought about this, too. However, being not an ssh expert, I was not
sure where would be a proper place to call an initialisation routine for
the "devices" array. (It is also used for protocol 1 in auth-chall.c.)

Concerning comment 5:
> I think the diff is incorrect: it just avoids the ssh code, but we
> should be falling back to the next method. The fact that there are PAM
> lines in the server output shouldn't matter, kbd-int should try other
> methods.
At least for me it doesn't.
> As a workaround, you can try "ssh -oKbdInteractiveDevices=skey"
to
> prefer skey authentication.
That works.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From dtucker at zip.com.au  2004-10-07 17:56 -------
Created an attachment (id=725)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=725&action=view)
remove "pam" from kbdint devices if UsePAM=no

I looked at it too and removing the "pam" device is more invasive (in
part,
because the KbdIntDevice list is statically allocated).  See attached.

This patch could be simpler if pam is moved to the end of the device list (but
that changes the default order for the skey+pam case).

It's a good point about SSHv1 support too, it won't work at all when
usepam=no,
fixed in attached patch.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From ulm at kph.uni-mainz.de  2004-10-07 20:23
-------
I have applied your patch. Unfortunately, it does not work correctly:
ssh asks for the "S/Key Password:" 6 times instead of 3 times.

The reason seems to be that remove_kbdint_device leaves a duplicate
entry in the devices array:

+	for (i = 0; devices[i] != NULL; i++)
+		if (strcmp(devices[i]->name, devname) == 0) {
+			devices[i] = devices[i+1];
+			i--;
+		}




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #725 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2004-10-07 20:42 -------
Created an attachment (id=726)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=726&action=view)
remove "pam" from kbdint devices if UsePAM=no take 2

Hmm, it would appear I didn't think that all the way through.  How about the
attached which does:

	for (i = 0; devices[i] != NULL; i++)
		if (strcmp(devices[i]->name, devname) == 0) {
			for (j = i; devices[j] != NULL; j++)
				devices[j] = devices[j+1];
			i--;
		}

It's kind of overkill though, given that the array will have either one or
two
members...



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=936





------- Additional Comments From ulm at kph.uni-mainz.de  2004-10-08 06:36
-------
Tested again.
As far as I can see, it works properly for both protocol versions 1 and 2.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.