openssh bugs - Sep 2003 - [Bug 696] PAM modules getting bypassed when connecting from f-secure ssh client to openssh 3.7p1 or 3.7.1p1 servers

http://bugzilla.mindrot.org/show_bug.cgi?id=696

           Summary: PAM modules getting bypassed when connecting from f-
                    secure ssh client to openssh 3.7p1 or 3.7.1p1 servers
           Product: Portable OpenSSH
           Version: 3.7.1p1
          Platform: Sparc
        OS/Version: Solaris
            Status: NEW
          Severity: minor
          Priority: P2
         Component: PAM support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: swamitj at yahoo.com


Openssh 3.7.1p1 and 3.7p1 were complied with PAM support. When we try to 
connect in(to the openssh 3.7.1p1/3.7p1 server)  from F-Secure ssh clients the 
PAM modules are totally getting bypassed. Is there a way to fix this?

 However there are no problems connecting in from Openssh clients(PAM  works 
fine)

The options that were used here were similar to the options used to compile 
openssh 3.6p1. No problems are encountered when connecting to a 3.6p1 server 
either from openssh client or a f-secure ssh client.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME



------- Additional Comments From djm at mindrot.org  2003-09-22 10:09 -------
Read the comment next to UsePAM in sshd_config.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696

swamitj at yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WORKSFORME                  |



------- Additional Comments From swamitj at yahoo.com  2003-09-22 11:31 -------
PasswordAuthentication is set to no and
UsePAM is set to yes on the sshd_config file

Running sshd in debug mode while trying to connect in , shows PAM modules 
being invoked while coming in from openssh clients but not from f-secure.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From dtucker at zip.com.au  2003-09-22 11:39 -------
Are your F-Secure clients configured to use keyboard-interactive authentication?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From jason at devrandom.org  2003-09-22 11:51
-------
F-Secure SSH client for me (on OpenVMS) works fine with UsePAM=yes and
PasswordAuthentication=no for the ssh client:

SYS$  ssh2 "jmccormick at rowan"
Keyboard-interactive:
Password:

Authentication successful.
[jmccormick at rowan jmccormick]$

My F-Secure install by default seems to be using keyboard-interactive as I'm
not
explicitly enabling it anywhere.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From swamitj at yahoo.com  2003-09-22 12:37 -------
Yes the clients are configured to use keyboard-interactive. The same client 
connects fine to a 3.6p1 server(no problems with PAM) but has problems talking 
with 3.7p1 or 3.7.1p1. 




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From swamitj at yahoo.com  2003-09-22 23:21 -------
The same problem has been noticed on Secure CRT and Putty clients as well. The 
only client that seems to work so far is the openssh client.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696

swamitj at yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|minor                       |major





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From djm at mindrot.org  2003-09-24 07:25 -------
you will have to provide more evidence. A debug trace from the server perhaps?

Are you using 3.7.1p2?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696





------- Additional Comments From swamitj at yahoo.com  2003-09-24 07:54 -------
Created an attachment (id=463)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=463&action=view)
Debug output from the server and verbose o/p from the client side(both f-secure
and openssh)

Yes we upgraded to 3.7.1p2 and the problem still persists. Setting UsePAM to
yes and PasswordAuthentication to no the f-secure client is not able to login
to the machine at all. 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
    Attachment #463|application/octet-stream    |text/plain
          mime type|                            |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=696

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |WORKSFORME



------- Additional Comments From djm at mindrot.org  2003-09-24 08:15 -------
You are not even trying challenge response authentication. Try connecting using
ssh protocol 2 or looking for a f-secure option "tisauthentication" or
similar
to enable challenge-response for protocol 1.

This does work (it has been tested by a number of developers) - the problem is
at the client.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.