Hi,
I have an auth module for PAM that I wrote a few years ago called
pam_vsd.so. The idea is that a user must have a certain privilege
before they can successfully authenticate. Without the privilege the
PAM module will return PAM_PERM_DENIED.
However I find that in OpenSSH 3.7.1p2, I can easily subvert this check
simply by hitting return 3 times on connection i.e.
[nick at localhost pam.d]$ ssh nick at host.dsvr.net
Server host.dsvr.net
Password: <hit return>
Password: <hit return>
Password: <hit return>
nick at host.dsvr.net's password: <enter real password>
[nick at host.dsvr.net nick]$
Syslog shows that indeed pam_vsd.so is correctly rejecting the
connection, but then why does it fail the keyboard-interactive/pam login
and then allow another type of login ?
I have been using this module for a few years now and it works fine on
other services such as FTP, SMTP, POP3 and IMAP.
Any thoughts ?
Regards,
Nick
Extract from syslog:
PAM_pwdb[25749]: (sshd) session closed for user nick
PAM_pwdb[25761]: authentication failure; (uid=0) -> nick for sshd service
PAM-vsd[25761]: user nick does not have telnet privilege
sshd[25759]: error: PAM: Authentication failure
PAM_pwdb[25762]: authentication failure; (uid=0) -> nick for sshd service
PAM-vsd[25762]: user nick does not have telnet privilege
sshd[25759]: error: PAM: Authentication failure
PAM_pwdb[25763]: authentication failure; (uid=0) -> nick for sshd service
PAM-vsd[25763]: user nick does not have telnet privilege
sshd[25759]: error: PAM: Authentication failure
sshd[25759]: Failed keyboard-interactive/pam for nick from xxx.xx.xxx.xx
port 47018 ssh2
sshd[25759]: Accepted password for nick from xxx.xx.xxx.xx port 47018 ssh2
PAM_pwdb[25765]: (sshd) session opened for user nick by (uid=0)
$ cat /etc/pam.d/sshd
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_vsd.so priv=telnet
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so
The contents of sshd_config are:
Port 22
Protocol 2,1
HostKey /usr/local/etc/ssh/ssh_host_key
HostKey /usr/local/etc/ssh/ssh_host_rsa_key
HostKey /usr/local/etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
PrintLastLog no
SyslogFacility AUTH
LogLevel INFO
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
UsePAM yes
#ChallengeResponseAuthentication no
KerberosAuthentication no
UseLogin no
Banner /usr/local/etc/issue.net
Subsystem sftp /usr/libexec/openssh/sftp-server
MaxStartups 10:30:60
--
Nick Burrett
Network Engineer, Designer Servers Ltd. http://www.dsvr.co.uk