Hi all,
trawled through the archives and did'nt find what I was looking for so here
goes.
This may be common knowledge or may not for the developers here ... maybe
it will save someone some time anyhow.
I'm running Redhat 6.2, **2.4.0-test1 kernel**, openssh-2.1.1p2.tar.gz,
openssl-0.9.5a.tar.gz,
with these options.
sh configure --with-tcp-wrappers --with-md5-passwords --with-ipv4-default
--with-pam
/etc/pam.d/sshd
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so
ident /usr/local/sbin/sshd | grep -i pam
Does not find pam.
The error I receive is a,
Permission denied, please try again even though my password **IS** correct.
sshd shows this
Connection from 192.168.254.200 port 720
debug: Client protocol version 1.5; client software version OpenSSH_2.1.1
debug: Local version string SSH-1.99-OpenSSH_2.1.1
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Attempting authentication for darren.
Failed password for darren from 192.168.254.200 port 720
Connection closed by 192.168.254.200
debug: Calling cleanup 0x805c7b4(0x0)
When I do this, and strace sshd -d I get this from strace
ssh -v -l darren horseplay
) = 1 (in [4])
read(4, "\0\0\0\17u\17\264\244\27\205\237\26q\341\322\251\31\217"...,
8192) 20
open("/etc/shadow", O_RDONLY) = 3
fcntl(3, F_GETFD) = 0
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
fstat64(0x3, 0xbfffef28) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x40015000
read(3, "root:$1$1xxxxxxxxxxxxxxxxxxxxxxx"..., 4096) = 757
close(3) = 0
munmap(0x40015000, 4096) = 0
getpeername(4, {sin_family=AF_INET, sin_port=htons(743),
sin_addr=inet_addr("192.168.254.200")}}, [16]) = 0
write(2, "Failed password for darren from "..., 57) = 57
write(4, "\0\0\0\5\r\260\314t\211\336\320\"", 12) = 12
select(5, [4], NULL, NULL, NULL) = 1 (in [4])
read(4, "", 8192) = 0
write(2, "Connection closed by 192.168.254"..., 37) = 37
write(2, "debug: Calling cleanup 0x805c7b4"..., 38) = 38
shutdown(4, 2 /* send and receive */) = 0
close(4) = 0
_exit(255) = ?
I may be wrong, but it does say read(4, "root: ...." so is it not
reading my
username in the shadow file.
I've also had odd problems with openssh-2.1.1p1.tar.gz on FreeBSD
3.5-STABLE,
maybe i'll go into that one another day as my memory is hazy at the moment.
My configuration files are the standard ones when installed.
When I set the link back on /usr/src/linux to /usr/src/linux-2.2.12 and
recompiled openssh **sshd actually worked**.
Also note that when sshd was run under Linux-2.4.0-test1 but recompiled
under 2.2.12 it **ran as expected**.
So I can only conclude that openssh does not support linux-2.4 yet.
Damien, any plans to update it soon? Presumably there are too many
changes :-)
Hope this helps someone else from a headache, now onto why it did'nt
work under FreeBSD .... (probably my fault ..)
thanks
Darren
---
On Sat, 1 Jul 2000, Darren Evans wrote:> > Hi all, > > trawled through the archives and did'nt find what I was looking for so here goes. > > This may be common knowledge or may not for the developers here ... maybe > it will save someone some time anyhow. > > I'm running Redhat 6.2, **2.4.0-test1 kernel**, openssh-2.1.1p2.tar.gz, openssl-0.9.5a.tar.gz, > with these options. >Suse 6.3, 2.4.0-test2-ac2, openssh-2.1.1p1.tar.gz (not had a chance to upgrade since I just woke up to find a new release.=)> sh configure --with-tcp-wrappers --with-md5-passwords --with-ipv4-default --with-pam >I just did ./configure and let it figure everything out. No /etc/pam.d/sshd (Which means pam should default to standard rules)> /etc/pam.d/sshd[..] Mine is the default sshd rules provide in the contrib/ section. (Which is almost the same except for the "account required /lib/security/pam_pwdb.so" line> ident /usr/local/sbin/sshd | grep -i pam > > Does not find pam. >I don't have ident installed, but strings /opt/openssh/sbin/sshd | grep -i pam show a good 12 lines the last one being the ident: @(#)$Id: auth-pam.c,v 1.8 2000/06/22 11:44:54 djm Exp $ [..]> I've also had odd problems with openssh-2.1.1p1.tar.gz on FreeBSD 3.5-STABLE, > maybe i'll go into that one another day as my memory is hazy at the moment. > > My configuration files are the standard ones when installed. > > When I set the link back on /usr/src/linux to /usr/src/linux-2.2.12 and > recompiled openssh **sshd actually worked**. > > Also note that when sshd was run under Linux-2.4.0-test1 but recompiled > under 2.2.12 it **ran as expected**. >ermm.. This is interesting.. Since I've been runnning the whole gambit of kernels (from the late 2.3.x kernels) and I've not seen this problem. Have you set OpenSSH's configure decide on your configuration options instead of forcing which ones it should pick? Ben Lindstrom
On Sat, 1 Jul 2000, Darren Evans wrote:> > Hi all, > > trawled through the archives and did'nt find what I was looking for > so here goes. > > This may be common knowledge or may not for the developers here ... > maybe it will save someone some time anyhow. > > I'm running Redhat 6.2, **2.4.0-test1 kernel**, > openssh-2.1.1p2.tar.gz, openssl-0.9.5a.tar.gz, with these options. > > sh configure --with-tcp-wrappers --with-md5-passwords > --with-ipv4-default --with-pamCan you send the output of a configure run?> ident /usr/local/sbin/sshd | grep -i pam > > Does not find pam.I suspect that some brokenness in the new kernel headers is breaking the test for PAM. You might want to trawl through config.log for more detailed error messages.> The error I receive is a, > > Permission denied, please try again even though my password **IS** > correct.As a temporary workaround you might want to set --with-md5-passwords> When I do this, and strace sshd -d I get this from strace > ssh -v -l darren horseplay > read(3, "root:$1$1xxxxxxxxxxxxxxxxxxxxxxx"..., 4096) = 757> I may be wrong, but it does say read(4, "root: ...." so is it not > reading my username in the shadow file.If you username is in the first 4096 bytes of the password file it is getting it OK.> I've also had odd problems with openssh-2.1.1p1.tar.gz on FreeBSD > 3.5-STABLE, maybe i'll go into that one another day as my memory is > hazy at the moment.The FreeBSD developers maintain their own port of OpenSSH - I have no idea whether it is based on our work or not. Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
HI all,
well after some messing around, I have come a lot closer.
It appears to be a kernel issue/bug with linux-2.4.0-test1.
I upgraded to linux-2.4.0-test2 with both of these configure options and
sshd/ssh worked.
What has changed in the kernels i'll leave to someone else to figure out :-)
OpenSSH configured has been configured with the following options.
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Random number collection: Device (/dev/urandom)
Manpage format: man
PAM support: yes
KerberosIV support: no
AFS support: no
S/KEY support: no
TCP Wrappers support: no
MD5 password support: no
IP address in $DISPLAY hack: no
Use IPv4 by default hack: no
Translate v4 in v6 hack: yes
Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include
Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl
Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto
And with these options.
OpenSSH configured has been configured with the following options.
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh/ssh-askpass
Manual pages: /usr/local/man/manX
PID file: /var/run
Random number collection: Device (/dev/urandom)
Manpage format: man
PAM support: yes
KerberosIV support: no
AFS support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: yes
IP address in $DISPLAY hack: no
Use IPv4 by default hack: yes
Translate v4 in v6 hack: yes
Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include
Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl
Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap
As I say both worked ...
regards
Darren
At 15:31 01/07/00 -0500, Ben Lindstrom wrote:
>On Sat, 1 Jul 2000, Darren Evans wrote:
>
>> sh configure --with-tcp-wrappers --with-md5-passwords
--with-ipv4-default --with-pam
>>
>I just did ./configure and let it figure everything out.
>
>No /etc/pam.d/sshd (Which means pam should default to standard rules)
>
>> /etc/pam.d/sshd
>[..]
>Mine is the default sshd rules provide in the contrib/ section.
>(Which is almost the same except for the "account required
>/lib/security/pam_pwdb.so" line
>
>> ident /usr/local/sbin/sshd | grep -i pam
>>
>> Does not find pam.
>>
>I don't have ident installed, but strings /opt/openssh/sbin/sshd | grep
-i
>pam show a good 12 lines the last one being the ident:
>
>@(#)$Id: auth-pam.c,v 1.8 2000/06/22 11:44:54 djm Exp $
>
>[..]
>> I've also had odd problems with openssh-2.1.1p1.tar.gz on FreeBSD
3.5-STABLE,
>> maybe i'll go into that one another day as my memory is hazy at the
moment.
>>
>> My configuration files are the standard ones when installed.
>>
>> When I set the link back on /usr/src/linux to /usr/src/linux-2.2.12 and
>> recompiled openssh **sshd actually worked**.
>>
>> Also note that when sshd was run under Linux-2.4.0-test1 but recompiled
>> under 2.2.12 it **ran as expected**.
>>
>ermm.. This is interesting.. Since I've been runnning the whole gambit
>of kernels (from the late 2.3.x kernels) and I've not seen this problem.
>
>Have you set OpenSSH's configure decide on your configuration options
>instead of forcing which ones it should pick?
>
>Ben Lindstrom
---