openssh unix dev - Dec 2003 - LinuxPAM woes on the 3.6 series of openssh portable - strange behaviour

All,
  I hate to ask what's going to boil down to a configuration issue (I
think)... and before I start pouring through the
code I'm hoping someone can just point out what's going on.

Essentially, on a particular "flavor" of our redhat linux 8 boxes PAM
always seems to be called/fail before any real
authentication takes place. On other boxes, this is not the case. Normally this
would not be a problem; however, in a
three-failed-passwords and you are locked out environment, this renders public
key's almost useless. (Three successfull
authentications via public key will register three failed authentication
attempts). I am not convinced that it is sshd a
priori, but I do need to resolve the issue. Can anyone familiar with this
section of code offer any suggestions what
could cause openssh to invoke PAM at this point before the user has even
attempted to enter a password?

see below for example output. I have on other box in the
three-strikes-and-your-out environment(pam_smbauth) where this
is not a problem; however, it's configuration is different then the
afflicted boxes. As I said this is apparently
strange behaviour and I'm not quite sure what I'm looking for yet
without pouring through the code.

Any assistance is appreciated, on or off the list.
Cheers,
nick


debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: monitor_read: checking request 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug1: PAM password authentication failed for e341518: Authentication failure
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for e341518 from XXX.XXX.XXX.XXX port 44847 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
Failed none for e341518 from XXX.XXX.XXX.XXX port 44847 ssh2

Nick Lange wrote:
>   I hate to ask what's going to boil down to a configuration issue (I
> think)... and before I start pouring through the
> code I'm hoping someone can just point out what's going on.
> 
> Essentially, on a particular "flavor" of our redhat linux 8 boxes
PAM
> always seems to be called/fail before any real
> authentication takes place. On other boxes, this is not the case.
> Normally this would not be a problem; however, in a
> three-failed-passwords and you are locked out environment, this
> renders public key's almost useless. (Three successful
> authentications via public key will register three failed authentication
> attempts).
This is probably due to the "none" authentication attempted at the
start
of the SSH conversation.  Previous versions would skip this test if
PermitEmptyPasswords was "no", however the owl-always-auth changes
introduced in 3.6.1p2 (?) meant that it would always be attempted.

For a better description, see (near the bottom):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=99168

There's a patch against 3.6.1p2 there too:
http://bugs.debian.org/cgi-bin/bugreport.cgi/openssh-debian_login.patch?bug=99168&msg=20&att=1

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.