----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's password: In the logs I have: May 2 13:57:11 sole sshd(pam_unix)[19663]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=homer.infis.univ.trieste.it user=lcars May 2 13:57:13 sole sshd(pam_unix)[19665]: session opened for user lcars by (uid=817) The first line is logged _before_ sshd prompt the password and that's the cause of the delay since I'm not using nodelay option in system-auth. The second one is logged after I enter the correct password. I don't suppose that this is a correct beahviour, what do you think? Thanks a lot. Bye -- ------------------------------------------------------------ INFIS Network Administrator & Security Officer .*. Department of Physics - University of Trieste /V\ lcars at infis.univ.trieste.it - PGP Key 0x8E21FE82 (/ \) ---------------------------------------------------- ( ) "How would you know I'm mad?" said Alice. ^^-^^ "You must be,'said the Cat,'or you wouldn't have come here." ------------------------------------------------------------
I saw a similiar problem with 3.6.1p2 when using PAM on HP UX 11.0 Rather then a 2 second delay, it got a segfault. This got around the problem, but it is not clear why this code which was in 3.5 was deleted. The PAM code is being called with a password="" for some reason, then loks like it is called again later for real. I still have problems with passwords on HP, but Solaris works, so this is not the total solution. *** ,auth-pam.c Wed Apr 30 10:04:21 2003 --- auth-pam.c Thu May 1 14:12:46 2003 *************** *** 210,215 **** --- 210,227 ---- do_pam_set_conv(&conv); + #if defined(__hpux) + /* add back this from 3.5 PAM on HP 11.0 segfaults + * with password="" */ + /* deny if no user. */ + if (pw == NULL) + return 0; + if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) + return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + #endif /* __hpux */ + __pampasswd = password; pamstate = INITIAL_LOGIN; Andrea Barisani wrote:> > ----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- > > Date: Fri, 2 May 2003 14:01:33 +0200 > From: Andrea Barisani <lcars at infis.univ.trieste.it> > To: openssh at openssh.com > Subject: openssh 3.6.1_p2 problem with pam > > Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: > > # ssh -l lcars mybox > [2 seconds delay] > lcars at mybox's password: > > In the logs I have: > > May 2 13:57:11 sole sshd(pam_unix)[19663]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=homer.infis.univ.trieste.it user=lcars > May 2 13:57:13 sole sshd(pam_unix)[19665]: session opened for user lcars by (uid=817) > > The first line is logged _before_ sshd prompt the password and that's the > cause of the delay since I'm not using nodelay option in system-auth. > > The second one is logged after I enter the correct password. > > I don't suppose that this is a correct beahviour, what do you think? > > Thanks a lot. > > Bye > > -- > ------------------------------------------------------------ > INFIS Network Administrator & Security Officer .*. > Department of Physics - University of Trieste /V\ > lcars at infis.univ.trieste.it - PGP Key 0x8E21FE82 (/ \) > ---------------------------------------------------- ( ) > "How would you know I'm mad?" said Alice. ^^-^^ > "You must be,'said the Cat,'or you wouldn't have come here." > ------------------------------------------------------------ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Hi! On Fri, May 02, 2003 at 08:37:27AM -0500, Douglas E. Engert wrote:> I saw a similiar problem with 3.6.1p2 when using PAM on HP UX 11.0 > Rather then a 2 second delay, it got a segfault. > > This got around the problem, but it is not clear why this code which was > in 3.5 was deleted. The PAM code is being called with a password="" > for some reason, then loks like it is called again later for real. > > I still have problems with passwords on HP, but Solaris works, > so this is not the total solution.Simply setting PermitEmptyPasswords no in sshd_config is not enough? Ciao Thomas
Thomas Binder wrote:> > Hi! > > On Fri, May 02, 2003 at 08:37:27AM -0500, Douglas E. Engert wrote: > > I saw a similiar problem with 3.6.1p2 when using PAM on HP UX 11.0 > > Rather then a 2 second delay, it got a segfault. > > > > This got around the problem, but it is not clear why this code which was > > in 3.5 was deleted. The PAM code is being called with a password="" > > for some reason, then loks like it is called again later for real. > > > > I still have problems with passwords on HP, but Solaris works, > > so this is not the total solution. > > Simply setting > > PermitEmptyPasswords no > > in sshd_config is not enough?It does not appear so. The default is no, and that is what is set. I was pointing out that some code was changed, which could have caused the PAM to be called with "" which did not appear to be the case in 3.5. I was wondering why this was removed. The segfault I am getting, appears to come from not being able to load one of my PAM modules, pam_krb5. If I can figure this out, I will go back and try with out the change.> > Ciao > > Thomas > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
On Fri, May 02, 2003 at 02:03:52PM +0200, Andrea Barisani wrote:> I don't suppose that this is a correct beahviour, what do you think?Yes, it's not correct behavior. However, this isn't new to 3.6.1. Not sure why you're only seeing it now. This should help you out: --- openssh/auth1.c Sun Feb 23 16:59:27 2003 +++ openssh/auth1.c Thu May 1 22:27:29 2003 @@ -80,7 +80,7 @@ authctxt->valid ? "" : "illegal user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ - if (options.password_authentication && + if (options.password_authentication && options.permit_empty_passwd && #if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif --- openssh/auth2-none.c Tue Apr 29 02:12:08 2003 +++ openssh/auth2-none.c Thu May 1 22:27:29 2003 @@ -100,6 +100,25 @@ if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif + + /* + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + */ + if (!options.permit_empty_passwd) + return(0); + return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; }
OK, here is my take on how PAM flow should go, in pseudocode, with #ifdef commentary on where openssh-3.6.1p2 strays. I've just submitted a patch http://bugzilla.mindrot.org/show_bug.cgi?id=559 http://bugzilla.mindrot.org/attachment.cgi?id=289&action=view which adresses some of the problems below. The description below isn't as readable as I had hoped, but at least it does show PAM behavior as a single flow of control; whereas in openssh you'll have to look into a number of files. #ifdef OPENSSH pw = getpwbynam(user); pamh = pam_start(service, pw ? user : "NOUSER", ...); #else pamh = pam_start(service, user, ...); #endif if (options.permit_empty_password) pam_auth_flags = 0; else pam_auth_flags = PAM_DISALLOW_NULL_AUTHTOK; if (protocol == 1) { if (password_auth_enabled()) { /* kludge */ set_conv(non_interactive_conv_func); #ifdef OPENSSH { #else if (options.permit_empty_password) { #endif /* * Need to do this because of a password_auth deficiency: the * client prompts for the password before the server asks for it. * This breaks "don't prompt on null password" expected behavior. * * Results in a spurious pam log for accounts with password. :-( * And is just plain broken, for the general case--consider * a PAM module that only allows x attempts in y secs. */ set_password(""); #ifdef OPENSSH /* * NB: pam_auth_flags might be PAM_DISALLOW_NULL_AUTHTOK, * in which case this call to pam_authenticate() is pointless. * See above, where we test options.permit_empty_password first. */ #endif pam_authenticate(pamh, pam_auth_flags); if (authenticated) goto pam_account; } set_password(get_password()); pam_authenticate(pamh, pam_auth_flags); } } if ("none" authentication) { /* protocol 2 does this first */ #ifdef OPENSSH { #else if (password_auth_enabled() && options.permit_empty_password) { /* kbdint handles this itself */ #endif set_conv(non_interactive_conv_func); set_password(""); #ifdef OPENSSH /* see comment about pam_auth_flags, above */ #endif pam_authenticate(pamh, pam_auth_flags); if (authenticated) goto pam_account; } } if (is_password_auth || is_kbd_int_auth) { if (is_password_auth) set_conv(non_interactive_conv_func); else set_conv(interactive_conv_function); #ifdef OPENSSH /* NB: Ignores setting of options.permit_empty_password */ if (protocol == 2) pam_auth_flags = 0; #endif pam_authenticate(pamh, pam_auth_flags); if (!authenticated) return failure; } pam_account: r = pam_acct_mgmt(pamh, pam_auth_flags); if (r == PAM_SUCCESS) return success; #ifndef OPENSSH if (r != PAM_NEW_AUTHTOK_REQD) #endif /* NB: OPENSSH notes below don't matter since we fail here */ return failure; /* new password required */ if (is_password_auth) { /* password_auth deficiency, argh */ flag_password_change_needed(); return success; } if (is_kbd_int_auth) { #ifdef OPENSSH /* password_auth deficiency, not a kbd_int deficiency, argh! */ flag_password_change_needed(); return success; #else /* PAM_CHANGE_EXPIRED_AUTHTOK is iffy */ return ((pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK) == 0) ? success : failure); #endif } /* non password, non kbd-int, but password expired ... a tough call */ return success; In addition to the parts noted above, additional bugs: - #if 0'd out code for pam_chauthtok && privsep, even though it works correctly for non-privsep, AFAIK (auth-pam.c:251; auth-pam.c:347) - extraneous failure message for 'none' auth (noise) - PAM_TEXT_INFO and PAM_ERROR_MSG messages are aggregrated rather than passed to the client in order; if the conversation is *only* PAM_TEXT_INFO and PAM_ERROR_MSG messages the client doesn't see them at all, for kbdint - do_pam_conversation_kbd_int() leaks char *text - protocol 2 assumes client will do 'none' authentication - kbdint authentication cannot be abandoned - user:style is not supported by the ietf-drafts /fc