Hi there, I just tried out OpenSSH3.0p1 running on Solaris 8 with PAM (--with-PAM). The problem was mentioned some time ago and is still there :-( When a password is expired you are prompted to change it now, enter your login password and after doing so you are instantly disconnected. I think this is a problem with PAM and not SSH, but how can I get a solution on this ? sshd is running without problems, no core dump. In /var/adm/messages there is the following output: auth.crit fatal: PAM pam_chauthtok failed[-1]: Unknown error that's all. Is there a workaround (like using a different PAM library and not pam_unix.so) ? Alex
On Thu, 8 Nov 2001, Dost, Alexander wrote:> Date: Thu, 8 Nov 2001 10:04:53 +0100 > From: "Dost, Alexander" <Alexander.Dost at drkw.com> > To: openssh-unix-dev at mindrot.org > Subject: OpenSSH3.0p1/PAM/Sol8 > > Hi there, > > I just tried out OpenSSH3.0p1 running on Solaris 8 with PAM (--with-PAM). > The problem was mentioned some time ago and is still there :-( > When a password is expired you are prompted to change it now, enter your > login password and after doing so you are instantly disconnected. I think > this is a problem with PAM and not SSH, but how can I get a solution on this > ? > sshd is running without problems, no core dump. In /var/adm/messages there > is the following output: > auth.crit fatal: PAM pam_chauthtok failed[-1]: Unknown errorWhat does your /etc/pam.conf look like? Are you running sshd as root or some other uid? Ed Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key
I imported the example from the contrib directory for generic unix. sshd is running as root. Alex pam.conf: # #ident "@(#)pam.conf 1.16 01/01/24 SMI" # # Copyright (c) 1996-2000 by Sun Microsystems, Inc. # All rights reserved. # # PAM configuration # # Authentication management # login auth required /usr/lib/security/$ISA/pam_unix.so.1 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 sshd auth required /usr/lib/security/$ISA/pam_unix.so shadow nodelay # rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Account management # login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required /usr/lib/security/$ISA/pam_projects.so.1 login account required /usr/lib/security/$ISA/pam_unix.so.1 sshd account required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required /usr/lib/security/$ISA/pam_projects.so.1 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 # other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_projects.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # sshd session required /usr/lib/security/$ISA/pam_unix.so.1 other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # sshd password required /usr/lib/security/$ISA/pam_unix.so shadow nullok use_authtok other password required /usr/lib/security/$ISA/pam_unix.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) - snip> -----Original Message----- > From: Ed Phillips [SMTP:ed at UDel.Edu] > Sent: Thursday, November 08, 2001 17:06 > To: Dost, Alexander > Cc: openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH3.0p1/PAM/Sol8 > > On Thu, 8 Nov 2001, Dost, Alexander wrote: > > > Date: Thu, 8 Nov 2001 10:04:53 +0100 > > From: "Dost, Alexander" <Alexander.Dost at drkw.com> > > To: openssh-unix-dev at mindrot.org > > Subject: OpenSSH3.0p1/PAM/Sol8 > > > > Hi there, > > > > I just tried out OpenSSH3.0p1 running on Solaris 8 with PAM > (--with-PAM). > > The problem was mentioned some time ago and is still there :-( > > When a password is expired you are prompted to change it now, enter your > > login password and after doing so you are instantly disconnected. I > think > > this is a problem with PAM and not SSH, but how can I get a solution on > this > > ? > > sshd is running without problems, no core dump. In /var/adm/messages > there > > is the following output: > > auth.crit fatal: PAM pam_chauthtok failed[-1]: Unknown error > > What does your /etc/pam.conf look like? Are you running sshd as root or > some other uid? > > Ed > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 > Systems Programmer III, Network and Systems Services > finger -l ed at polycut.nss.udel.edu for PGP public key
Yes, I get the error messages (illegal option shadow/nodelay). I removed the entry and, as you said, they are just ignored, nothing changed. One additional piece of information: If I use NIS+ for password authentication/changing, all works fine. Alex # # /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; it # does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. passwd: files group: files hosts: dns files ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project: files> -----Original Message----- > From: Ed Phillips [SMTP:ed at UDel.Edu] > Sent: Thursday, November 08, 2001 18:34 > To: Dost, Alexander > Cc: openssh-unix-dev at mindrot.org > Subject: RE: OpenSSH3.0p1/PAM/Sol8 > > On Thu, 8 Nov 2001, Dost, Alexander wrote: > > > Date: Thu, 8 Nov 2001 18:01:52 +0100 > > From: "Dost, Alexander" <Alexander.Dost at drkw.com> > > To: 'Ed Phillips' <ed at UDel.Edu> > > Cc: openssh-unix-dev at mindrot.org > > Subject: RE: OpenSSH3.0p1/PAM/Sol8 > > > > I imported the example from the contrib directory for generic unix. > > sshd is running as root. > > > > Alex > > > > pam.conf: > > # > > #ident "@(#)pam.conf 1.16 01/01/24 SMI" > > # > > # Copyright (c) 1996-2000 by Sun Microsystems, Inc. > > # All rights reserved. > > # > > # PAM configuration > > # > > # Authentication management > > # > > login auth required /usr/lib/security/$ISA/pam_unix.so.1 > > login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 > > sshd auth required /usr/lib/security/$ISA/pam_unix.so shadow > nodelay > > Not that it matters, but "shadow" and "nodelay" are not arguments that are > recognized by pam_unix.so.1 according to "man pam_unix". > > > # > > rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 > > rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 > > # > > dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 > > # > > rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 > > other auth required /usr/lib/security/$ISA/pam_unix.so.1 > > # > > # Account management > > # > > login account requisite > /usr/lib/security/$ISA/pam_roles.so.1 > > login account required > /usr/lib/security/$ISA/pam_projects.so.1 > > login account required /usr/lib/security/$ISA/pam_unix.so.1 > > sshd account required /usr/lib/security/$ISA/pam_unix.so.1 > > Looks fine. > > > # > > dtlogin account requisite > /usr/lib/security/$ISA/pam_roles.so.1 > > dtlogin account required > /usr/lib/security/$ISA/pam_projects.so.1 > > dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 > > # > > other account requisite > /usr/lib/security/$ISA/pam_roles.so.1 > > other account required > /usr/lib/security/$ISA/pam_projects.so.1 > > other account required /usr/lib/security/$ISA/pam_unix.so.1 > > # > > # Session management > > # > > sshd session required /usr/lib/security/$ISA/pam_unix.so.1 > > Looks fine. > > > other session required /usr/lib/security/$ISA/pam_unix.so.1 > > # > > # Password management > > # > > sshd password required /usr/lib/security/$ISA/pam_unix.so > shadow > > nullok use_authtok > > Again, these are not supported arguments according to "man pam_unix". > However, they should just be ignored. You should get syslog messages to > auth.err about these options though. Did you see any? > > > other password required /usr/lib/security/$ISA/pam_unix.so.1 > > dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 > > # > > # Support for Kerberos V5 authentication (uncomment to use Kerberos) > > Hmmmm... what does your /etc/nsswitch.conf file look like? > > Ed > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 > Systems Programmer III, Network and Systems Services > finger -l ed at polycut.nss.udel.edu for PGP public keyIf you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender.
>sshd auth required /usr/lib/security/$ISA/pam_unix.so shadow nodelayThese options do not exist for pam_unix on Solaris. Solaris always uses /etc/shadow and pam_unix doesn't actually know this (as it shouldn't). I don't even know what nodelay would mean it if did exist. -- Darren J Moffat
Here is the output. First one successfull login, after that passwd -f and new try... Alex Nov 8 18:25:29 FFTUST2001 sshd[5618]: [ID 888916 auth.debug] unix pam_sm_authenticate(sshd f998505), flags = 0 Nov 8 18:25:29 FFTUST2001 sshd[5618]: [ID 800047 auth.info] Accepted password for f998505 from 130.21.163.43 port 38296 ssh2 Nov 8 18:25:35 FFTUST2001 sshd[5618]: [ID 833576 auth.debug] pam_setcred: error Permission denied --- Nov 8 18:26:07 FFTUST2001 sshd[5648]: [ID 888916 auth.debug] unix pam_sm_authenticate(sshd f998505), flags = 0 Nov 8 18:26:08 FFTUST2001 sshd[5648]: [ID 308033 auth.debug] pam_acct_mgmt: error Get new authentication token Nov 8 18:26:08 FFTUST2001 sshd[5648]: [ID 800047 auth.info] Accepted password for f998505 from 130.21.163.43 port 38299 ssh2 Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 618257 auth.debug] unix pam_sm_chauthtok(): prelim check Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 288048 auth.debug] pam_sm_chauthtok: System password aged Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 651162 auth.debug] unix_sm_chauthtok(): update passwords Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 801703 auth.debug] unix_sm_chauthtok: default Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 276273 auth.debug] unix_sm_chauthtok: uid = 0, euid = 0 Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 803388 auth.debug] number of services is 1 Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 240311 auth.debug] unix pam_sm_chauthtok(): repository: files after get_ns() Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 814557 auth.debug] ck_perm() called: repository=files Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 555593 auth.debug] PAM: verify_old_passwd: start: uid = 1590, privileged = 0 Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 319219 auth.debug] verify_old_passwd(): repository is files Nov 8 18:26:08 FFTUST2001 sshd[5650]: [ID 485903 auth.debug] try_first_pass = 0, use_first_pass = 0 Nov 8 18:26:11 FFTUST2001 sshd[5651]: [ID 862941 auth.debug] turn: maxdate == -7, mindate == -1 Nov 8 18:26:11 FFTUST2001 sshd[5650]: [ID 125209 auth.debug] pam_chauthtok: error Unknown error Nov 8 18:26:11 FFTUST2001 sshd[5650]: [ID 800047 auth.crit] fatal: PAM pam_chauthtok failed[-1]: Unknown error Nov 8 18:26:11 FFTUST2001 sshd[5650]: [ID 833576 auth.debug] pam_setcred: error Permission denied Nov 8 18:26:11 FFTUST2001 sshd[5648]: [ID 833576 auth.debug] pam_setcred: error Permission denied> -----Original Message----- > From: Ed Phillips [SMTP:ed at UDel.Edu] > Sent: Thursday, November 08, 2001 19:17 > To: Dost, Alexander > Cc: openssh-unix-dev at mindrot.org > Subject: RE: OpenSSH3.0p1/PAM/Sol8 > > Can you try adding the "debug" option to the sshd lines in /etc/pam.conf? > Also, make sure syslogd is gathering the messages for auth.err, auth.info, > auth.debug, auth.alert, and auth.crit. Maybe something will show up in > the logs to pinpoint where pam_sm_chauthtok() is failing. It's odd, > because it should never return -1 - only valid PAM_XXXX error codes (which > are >= 0), according to "man pam_sm_chauthtok". Strange... > > Ed > > On Thu, 8 Nov 2001, Dost, Alexander wrote: > > > Date: Thu, 8 Nov 2001 18:47:01 +0100 > > From: "Dost, Alexander" <Alexander.Dost at drkw.com> > > To: 'Ed Phillips' <ed at UDel.Edu> > > Cc: openssh-unix-dev at mindrot.org > > Subject: RE: OpenSSH3.0p1/PAM/Sol8 > > > > Yes, I get the error messages (illegal option shadow/nodelay). > > I removed the entry and, as you said, they are just ignored, nothing > > changed. > > One additional piece of information: If I use NIS+ for password > > authentication/changing, all works fine. > > > > Alex > > > > # > > # /etc/nsswitch.files: > > # > > # An example file that could be copied over to /etc/nsswitch.conf; it > > # does not use any naming service. > > # > > # "hosts:" and "services:" in this file are used only if the > > # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" > transports. > > > > passwd: files > > group: files > > hosts: dns files > > ipnodes: files > > networks: files > > protocols: files > > rpc: files > > ethers: files > > netmasks: files > > bootparams: files > > publickey: files > > # At present there isn't a 'files' backend for netgroup; the system > will > > # figure it out pretty quickly, and won't use netgroups at all. > > netgroup: files > > automount: files > > aliases: files > > services: files > > sendmailvars: files > > printers: user files > > > > auth_attr: files > > prof_attr: files > > project: files > > > > > -----Original Message----- > > > From: Ed Phillips [SMTP:ed at UDel.Edu] > > > Sent: Thursday, November 08, 2001 18:34 > > > To: Dost, Alexander > > > Cc: openssh-unix-dev at mindrot.org > > > Subject: RE: OpenSSH3.0p1/PAM/Sol8 > > > > > > On Thu, 8 Nov 2001, Dost, Alexander wrote: > > > > > > > Date: Thu, 8 Nov 2001 18:01:52 +0100 > > > > From: "Dost, Alexander" <Alexander.Dost at drkw.com> > > > > To: 'Ed Phillips' <ed at UDel.Edu> > > > > Cc: openssh-unix-dev at mindrot.org > > > > Subject: RE: OpenSSH3.0p1/PAM/Sol8 > > > > > > > > I imported the example from the contrib directory for generic unix. > > > > sshd is running as root. > > > > > > > > Alex > > > > > > > > pam.conf: > > > > # > > > > #ident "@(#)pam.conf 1.16 01/01/24 SMI" > > > > # > > > > # Copyright (c) 1996-2000 by Sun Microsystems, Inc. > > > > # All rights reserved. > > > > # > > > > # PAM configuration > > > > # > > > > # Authentication management > > > > # > > > > login auth required /usr/lib/security/$ISA/pam_unix.so.1 > > > > login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 > > > > sshd auth required /usr/lib/security/$ISA/pam_unix.so shadow > > > nodelay > > > > > > Not that it matters, but "shadow" and "nodelay" are not arguments that > are > > > recognized by pam_unix.so.1 according to "man pam_unix". > > > > > > > # > > > > rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 > > > > rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 > > > > # > > > > dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 > > > > # > > > > rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 > > > > other auth required /usr/lib/security/$ISA/pam_unix.so.1 > > > > # > > > > # Account management > > > > # > > > > login account requisite > > > /usr/lib/security/$ISA/pam_roles.so.1 > > > > login account required > > > /usr/lib/security/$ISA/pam_projects.so.1 > > > > login account required /usr/lib/security/$ISA/pam_unix.so.1 > > > > sshd account required /usr/lib/security/$ISA/pam_unix.so.1 > > > > > > Looks fine. > > > > > > > # > > > > dtlogin account requisite > > > /usr/lib/security/$ISA/pam_roles.so.1 > > > > dtlogin account required > > > /usr/lib/security/$ISA/pam_projects.so.1 > > > > dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 > > > > # > > > > other account requisite > > > /usr/lib/security/$ISA/pam_roles.so.1 > > > > other account required > > > /usr/lib/security/$ISA/pam_projects.so.1 > > > > other account required /usr/lib/security/$ISA/pam_unix.so.1 > > > > # > > > > # Session management > > > > # > > > > sshd session required /usr/lib/security/$ISA/pam_unix.so.1 > > > > > > Looks fine. > > > > > > > other session required /usr/lib/security/$ISA/pam_unix.so.1 > > > > # > > > > # Password management > > > > # > > > > sshd password required /usr/lib/security/$ISA/pam_unix.so > > > shadow > > > > nullok use_authtok > > > > > > Again, these are not supported arguments according to "man pam_unix". > > > However, they should just be ignored. You should get syslog messages > to > > > auth.err about these options though. Did you see any? > > > > > > > other password required /usr/lib/security/$ISA/pam_unix.so.1 > > > > dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 > > > > # > > > > # Support for Kerberos V5 authentication (uncomment to use Kerberos) > > > > > > Hmmmm... what does your /etc/nsswitch.conf file look like? > > > > > > Ed > > > > > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 > > > Systems Programmer III, Network and Systems Services > > > finger -l ed at polycut.nss.udel.edu for PGP public key > > > > > > If you have received this e-mail in error or wish to read our e-mail > disclaimer statement and monitoring policy, please refer to > > http://www.drkw.com/disc/email/ or contact the sender. > > > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 > Systems Programmer III, Network and Systems Services > finger -l ed at polycut.nss.udel.edu for PGP public key