bugzilla-daemon at mindrot.org
2003-Sep-26 01:03 UTC
[Bug 719] pam auth not working the same way
http://bugzilla.mindrot.org/show_bug.cgi?id=719
Summary: pam auth not working the same way
Product: Portable OpenSSH
Version: -current
Platform: Sparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: stevebalm2000 at yahoo.com
We recently upgraded from openssh-3.6.1p2 to openssh-3.7.1p2 and are now not
able to login. We rely on PAM authentication and our PAM configuration looks
like this:
sshd auth required /usr/lib/security/$ISA/pam_krb54.so.1 get_k4_tgt
This pam module is home-grown and gets both Kerb5 and Kerb4 tickets. I've
tried
running sshd -d -d -d to figure out the problem here and I'm not sure what
the
issue is. I'll attach the debug output shortly. Here is my
/etc/ssh/sshd_config:
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_dsa_key
LoginGraceTime 600
IgnoreRhosts no
IgnoreUserKnownHosts yes
X11Forwarding yes
SyslogFacility DAEMON
HostbasedAuthentication yes
RhostsRSAAuthentication yes
Subsystem sftp /usr/local/libexec/sftp-server
Where should I be looking to track this down? Does my pam.conf need to be
updated for the new openssh? Does my local pam need to be modified to work with
the new openssh? Also, please let me know what other information would be
helpful in debugging this.
Thanks.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-26 01:13 UTC
[Bug 719] pam auth not working the same way
http://bugzilla.mindrot.org/show_bug.cgi?id=719 ------- Additional Comments From jason at devrandom.org 2003-09-26 11:13 ------- Do you have "UsePam yes" in your sshd_config file? 3.7.1p2 by defeault configuration now ships with PAM disabled. You *must* specify "UsePam yes" in your sshd_config for PAM to work with OpenSSH. This is a change in the default behavior between 3.7.1p1 and 3.7.1p2. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-26 01:14 UTC
[Bug 719] pam auth not working the same way
http://bugzilla.mindrot.org/show_bug.cgi?id=719 ------- Additional Comments From stevebalm2000 at yahoo.com 2003-09-26 11:14 ------- Created an attachment (id=469) --> (http://bugzilla.mindrot.org/attachment.cgi?id=469&action=view) Output from "sshd -p 30 -d -d -d" I was able to login using v3.6.1p2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-26 01:17 UTC
[Bug 719] pam auth not working the same way
http://bugzilla.mindrot.org/show_bug.cgi?id=719 ------- Additional Comments From stevebalm2000 at yahoo.com 2003-09-26 11:17 ------- Created an attachment (id=470) --> (http://bugzilla.mindrot.org/attachment.cgi?id=470&action=view) Output from "sshd -p 30 -d -d -d" I was not able to login using v3.7.1p2 Btw, here is uname -a info: SunOS trouble 5.9 Generic_112233-08 sun4u sparc SUNW,Ultra-5_10 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-26 01:24 UTC
[Bug 719] pam auth not working the same way
http://bugzilla.mindrot.org/show_bug.cgi?id=719 ------- Additional Comments From stevebalm2000 at yahoo.com 2003-09-26 11:24 ------- I added "UsePAM yes" to sshd_config and now I get my PAM conversation prompt and my login is successful. The sshd_config that ships with 3.7.1p2 should be updated to show that "UsePAM no" is the default now. Is there any way to avoid the PAM conversation prompt and use the OpenSSH password prompt as 3.6.1p2 used to do? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-26 02:24 UTC
[Bug 719] pam auth not working the same way
http://bugzilla.mindrot.org/show_bug.cgi?id=719 ------- Additional Comments From stevebalm2000 at yahoo.com 2003-09-26 12:24 ------- Also, is it possible to use privilege separation and pam at the same time? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-26 23:38 UTC
[Bug 719] pam auth not working the same way
http://bugzilla.mindrot.org/show_bug.cgi?id=719 ------- Additional Comments From djm at mindrot.org 2003-09-27 09:38 ------- No, PAM is fundamentally a challenge-response system. The old password auth code worked by ASSuMEing that there would only be a single prompt and that the prompt would be for a password. (FYI, The UsePAM entry in sshd_config has been corrected) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.