Sangeeth Saravanaraj
2014-Mar-05 18:46 UTC
Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3
I want to configure secure shell access to a Linux machine where allowed users are stored in an sqlite3 database and not in the /etc/passwd, /etc/shadow and /etc/group. I use PAM for user authentication. In this case I use libpam_sqlite<https://github.com/sangeeths/libpam-sqlite/blob/master/README_pam_sqlite3>which performs PAM actions like auth, account, password, etc on user data stored in an sqlite3 database. I have the following configuration in my /etc/pam.d/sshd auth required /lib/security/pam_sqlite3.so account required /lib/security/pam_sqlite3.so password required /lib/security/pam_sqlite3.so When I tried to ssh to the box using a userid which is residing in the sqlite3 database only (and not in /etc/passwd), the authentication failed. The problem I found was, when an ssh is attempted, OpenSSH module is trying to get the user info from the /etc/passwd file and when it found that the user does not exist, it passes "#010#012#015#177INCORRECT" as the password (and discards the password entered by the user) to the libpam_sqlite module. Then obviously the libpam_sqlite3 denies access to the user because the password is incorrect! When looked into the OpenSSH code, I found that getpwnam() in auth.c::getpwnamallow() sets pw = NULL and so the following message appears! debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0 Invalid user XXXXXX from A.B.C.D Now, to the questions: 1. Why does OpenSSH replaces the password entered by the user with the bad password - "\b\n\r\177INCORRECT" when the user is not present in the /etc/passwd file? 2. Is there a way to tell OpenSSH not to override the password entered by the user? 3. Is it really possible to authenticate a user based on an sqlite3 database when the user record is not present in the /etc/passwd, /etc/shadow and /etc/group? Thank you, Sangeeth
Karl O. Pinc
2014-Mar-05 19:00 UTC
Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3
On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:> I want to configure secure shell access to a Linux machine where > allowed > users are stored in an sqlite3 database and not in the /etc/passwd, > /etc/shadow and /etc/group. I use PAM for user authentication.I can't speak to the internals but have you set UsePAM Yes in sshd_config? Karl <kop at meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Reasonably Related Threads
- badpw = "\b\n\r\177INCORRECT"
- PAM Module:Openssh and Tacacs+ Question
- [Bug 1269] PAM Callback returns garbage if user unknown or root with disabled login in ssh-config
- [CSSA-2000-015-0] Caldera Security Advisory: KDE suid root applications
- AST-2014-015: Remote Crash Vulnerability in PJSIP channel driver