Nick Lange
2003-Dec-03 05:24 UTC
LinuxPAM woes on the 3.6 series of openssh portable - strange behaviour
All, I hate to ask what's going to boil down to a configuration issue (I think)... and before I start pouring through the code I'm hoping someone can just point out what's going on. Essentially, on a particular "flavor" of our redhat linux 8 boxes PAM always seems to be called/fail before any real authentication takes place. On other boxes, this is not the case. Normally this would not be a problem; however, in a three-failed-passwords and you are locked out environment, this renders public key's almost useless. (Three successfull authentications via public key will register three failed authentication attempts). I am not convinced that it is sshd a priori, but I do need to resolve the issue. Can anyone familiar with this section of code offer any suggestions what could cause openssh to invoke PAM at this point before the user has even attempted to enter a password? see below for example output. I have on other box in the three-strikes-and-your-out environment(pam_smbauth) where this is not a problem; however, it's configuration is different then the afflicted boxes. As I said this is apparently strange behaviour and I'm not quite sure what I'm looking for yet without pouring through the code. Any assistance is appreciated, on or off the list. Cheers, nick debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug1: PAM password authentication failed for e341518: Authentication failure debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for e341518 from XXX.XXX.XXX.XXX port 44847 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for e341518 from XXX.XXX.XXX.XXX port 44847 ssh2
Darren Tucker
2003-Dec-03 05:43 UTC
LinuxPAM woes on the 3.6 series of openssh portable - strangebehaviour
Nick Lange wrote:> I hate to ask what's going to boil down to a configuration issue (I > think)... and before I start pouring through the > code I'm hoping someone can just point out what's going on. > > Essentially, on a particular "flavor" of our redhat linux 8 boxes PAM > always seems to be called/fail before any real > authentication takes place. On other boxes, this is not the case. > Normally this would not be a problem; however, in a > three-failed-passwords and you are locked out environment, this > renders public key's almost useless. (Three successful > authentications via public key will register three failed authentication > attempts).This is probably due to the "none" authentication attempted at the start of the SSH conversation. Previous versions would skip this test if PermitEmptyPasswords was "no", however the owl-always-auth changes introduced in 3.6.1p2 (?) meant that it would always be attempted. For a better description, see (near the bottom): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=99168 There's a patch against 3.6.1p2 there too: http://bugs.debian.org/cgi-bin/bugreport.cgi/openssh-debian_login.patch?bug=99168&msg=20&att=1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.