I have build OpenSSH 3.7.1p1 on Linux from src.rpm available for download on the site, and after installation I have discovered that this version of openssh has many compatibility problems with old and third-party clients that previous versions did not have. For example: PuTTY (very popular free Windows client) cannot authenticate user when using protocol version 1. Works with protocol version 2. SecureCRT (another popular commercial Windows client) cannot authenticate with password authentication using both protocols 1 and 2, but succeeds using "keyboard interactive" authentication. Various older Unix clients (such as SSH 2.0 or 1.2.27 from ssh.fi, etc.) fail to authenticate with both ptotocols 1 and 2. With newer clients, using protocol 1 gives very strange greeting - first Password: Response: and then if password not given, <user>@<hostname>'s password: Authentication with the latter never works, however works with the former. I understand that somehow password authenticatiom method became broken or disabled. Is there a way to restore it? I understand this is very hard to be compatible with all variety of existing SSH clients, however all mentioned applications were working flawlessly with previous versions of OpenSSH and only after upgrade to latest 3.7 version the problems started. Could you give an advice where to look for solution or what can be changed to make these clients work again? Is there any logging options that could help to see why the server fails to authenticate? Syslog shows just "Failed password for <username>" which is not very helpful. -- Stanislav Malyshev, Zend Products Engineer stas at zend.com http://www.zend.com/ +972-3-6139665 ext.109
Stanislav Malyshev <stas at zend.com> writes:> With newer clients, using protocol 1 gives very strange greeting - first > Password: > Response:This is PAM mediated through ssh1's TIS authentication feature.> and then if password not given, <user>@<hostname>'s password:This is regular ssh1 password authentication.> Authentication with the latter never works, however works with the former.If password authentication fails when you type the correct password, you probably did something wrong at build time (like disable shadow passwords). DES -- Dag-Erling Sm?rgrav - des at des.no
> Stanislav Malyshev <stas at zend.com> writes: > > With newer clients, using protocol 1 gives very strange greeting - first > > Password: > > Response: > > This is PAM mediated through ssh1's TIS authentication feature.IMHO, this should be a single prompt, not 2 seperate prompts and BTW, this comes from the client NOT the server. The "Response: " portion is actually completely superfluous output... Also, this only happens when connecting to a newer version server. For example, connecting to a server running 3.7.1p1 you get the second prompt, but connecting to a server with a patched 3.1p1 (ala Red Hat) from the same host using the same client, you get user at host's password: With other older clients (putty < 0.53) you can not authenticate at all!> > and then if password not given, <user>@<hostname>'s password: > > This is regular ssh1 password authentication. > > > Authentication with the latter never works, however works with the former. > > If password authentication fails when you type the correct password, > you probably did something wrong at build time (like disable shadow > passwords).No actually, it is some incompatability with clients which do not support "keyboard-interactive" authentication. Was this intended breakage or accidental breakage? Regards James Bourne> DES > -- > Dag-Erling Sm?rgrav - des at des.no-- James Bourne | Email: jbourne at hardrock.org Unix Systems Administrator | WWW: http://www.hardrock.org Custom Unix Programming | Linux: The choice of a GNU generation ---------------------------------------------------------------------- "All you need's an occasional kick in the philosophy." Frank Herbert
Stanislav Malyshev
2003-Sep-21 10:17 UTC
Solved: OpenSSH 3.7.1 compatibility problems on Linux
SM>> I have build OpenSSH 3.7.1p1 on Linux from src.rpm available for SM>> download on the site, and after installation I have discovered that SM>> this version of openssh has many compatibility problems with old and SM>> third-party clients that previous versions did not have. For SM>> example: With generous help of Yuri Nosyrev, I have found the cure for the problem: The problem seems to be in the mechanism that governs password authentication and in the fact that I use md5-encoded passwords in /etc/shadow (must be standard RedHat setting since I have never changed anything there). The problem was solved by editing openssh.spec in the package before building the RPM and adding --with-md5-passwords to the configure line (around line 194 in original openssh.spec) then proceeding with building the RPM as usual. Seems to make all the clients that didn't work previously happy. -- Stanislav Malyshev, Zend Products Engineer stas at zend.com http://www.zend.com/ +972-3-6139665 ext.109