openssh unix dev - Oct 2003 - issue with 3.7.1p2

Hello,

I have recently download and compiled version 3.7.1p2 of openssh, but am
having authentication issues with it.  I have been using 3.6.1p1 with no
problems.  Both versions were compiled on the same Solaris 8 host.  That
host uses ldap for its name service.  Both were compiled using the same
openssh config options:

--prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib

However, the 3.7.1p2 version will not let me (as a regular user) login.
I get the all-too-familiar error:

Permission denied (publickey,password,keyboard-interactive)

I did the compiles the exact same way.  Why would one compile work, but
not the other?  I would like to migrate to the newer version, since it
has some security fixes.  Is there something I need to do during
compile, or is this a runtime configuration thing?

Thanks in advance,
Steve

--

Steve "Wheat" Belt              Motorola, Inc.
Steve.Belt at motorola.com         6501 William Cannon Dr. West, MD OE341
512-895-2268                    Austin, TX 78735

If you are using pam please go into your sshd_config and put in:

UsePam yes

- Ben

On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote:
> Hello,
>
> I have recently download and compiled version 3.7.1p2 of openssh, but am
> having authentication issues with it.  I have been using 3.6.1p1 with no
> problems.  Both versions were compiled on the same Solaris 8 host.  That
> host uses ldap for its name service.  Both were compiled using the same
> openssh config options:
>
> --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib
>
> However, the 3.7.1p2 version will not let me (as a regular user) login.
> I get the all-too-familiar error:
>
> Permission denied (publickey,password,keyboard-interactive)
>
> I did the compiles the exact same way.  Why would one compile work, but
> not the other?  I would like to migrate to the newer version, since it
> has some security fixes.  Is there something I need to do during
> compile, or is this a runtime configuration thing?
>
> Thanks in advance,
> Steve
>
> --
>
> Steve "Wheat" Belt              Motorola, Inc.
> Steve.Belt at motorola.com         6501 William Cannon Dr. West, MD OE341
> 512-895-2268                    Austin, TX 78735
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

Hi Ben,

Thanks for the reply.  I assumed that since the defaults (according to the
header in the
sshd_config file) were commented out, UsePAM was already being utilized,
since the file contained the line "#UsePAM yes."  I went ahead and
uncommented the line anyway and it now works.  I wonder if the other
"defaults" are incorrect as well?  Anyway, thanks for the info.  Saved
a lot
of headaches!

Cheers,
Steve

Ben Lindstrom wrote:
> If you are using pam please go into your sshd_config and put in:
>
> UsePam yes
>
> - Ben
>
> On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote:
>
> > Hello,
> >
> > I have recently download and compiled version 3.7.1p2 of openssh, but
am
> > having authentication issues with it.  I have been using 3.6.1p1 with
no
> > problems.  Both versions were compiled on the same Solaris 8 host. 
That
> > host uses ldap for its name service.  Both were compiled using the
same
> > openssh config options:
> >
> > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib
> >
> > However, the 3.7.1p2 version will not let me (as a regular user)
login.
> > I get the all-too-familiar error:
> >
> > Permission denied (publickey,password,keyboard-interactive)
> >
> > I did the compiles the exact same way.  Why would one compile work,
but
> > not the other?  I would like to migrate to the newer version, since it
> > has some security fixes.  Is there something I need to do during
> > compile, or is this a runtime configuration thing?
> >
> > Thanks in advance,
> > Steve
> >
> > --
> >
> > Steve "Wheat" Belt              Motorola, Inc.
> > Steve.Belt at motorola.com         6501 William Cannon Dr. West, MD
OE341
> > 512-895-2268                    Austin, TX 78735
> >
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
--

Steve "Wheat" Belt              Motorola, Inc.
Steve.Belt at motorola.com         6501 William Cannon Dr. West, MD OE341
512-895-2268                    Austin, TX 78735

No that is the only incorrect default.  It was missed in a last minute
change before p2 release where we decided PAM (like Kerb, etc) are not to
be enabled by default.

The sshd_config has been corrected in the current CVS tree.

- Ben

On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote:
> Hi Ben,
>
> Thanks for the reply.  I assumed that since the defaults (according to the
> header in the
> sshd_config file) were commented out, UsePAM was already being utilized,
> since the file contained the line "#UsePAM yes."  I went ahead
and
> uncommented the line anyway and it now works.  I wonder if the other
> "defaults" are incorrect as well?  Anyway, thanks for the info. 
Saved a lot
> of headaches!
>
> Cheers,
> Steve
>
> Ben Lindstrom wrote:
>
> > If you are using pam please go into your sshd_config and put in:
> >
> > UsePam yes
> >
> > - Ben
> >
> > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote:
> >
> > > Hello,
> > >
> > > I have recently download and compiled version 3.7.1p2 of openssh,
but am
> > > having authentication issues with it.  I have been using 3.6.1p1
with no
> > > problems.  Both versions were compiled on the same Solaris 8
host.  That
> > > host uses ldap for its name service.  Both were compiled using
the same
> > > openssh config options:
> > >
> > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib
> > >
> > > However, the 3.7.1p2 version will not let me (as a regular user)
login.
> > > I get the all-too-familiar error:
> > >
> > > Permission denied (publickey,password,keyboard-interactive)
> > >
> > > I did the compiles the exact same way.  Why would one compile
work, but
> > > not the other?  I would like to migrate to the newer version,
since it
> > > has some security fixes.  Is there something I need to do during
> > > compile, or is this a runtime configuration thing?
> > >
> > > Thanks in advance,
> > > Steve
> > >
> > > --
> > >
> > > Steve "Wheat" Belt              Motorola, Inc.
> > > Steve.Belt at motorola.com         6501 William Cannon Dr. West,
MD OE341
> > > 512-895-2268                    Austin, TX 78735
> > >
> > >
> > > _______________________________________________
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev at mindrot.org
> > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > >
>
> --
>
> Steve "Wheat" Belt              Motorola, Inc.
> Steve.Belt at motorola.com         6501 William Cannon Dr. West, MD OE341
> 512-895-2268                    Austin, TX 78735
>
>
>

Ben,

Now that I have set "UsePAM yes" I am seeing another issue.  When a
user types in
the wrong password, there is a long delay and then the message "Connection
closed" appears.  With 3.6.1p1, a wrong password would result in an
immediate
message "Permission denied, please try again" and the user would be
asked to
re-enter the password.  I can reduce the delay by setting
"LoginGraceTime" to
some smaller number, but why does the connection close instead of asking for
another password?

Cheers,
Steve

Ben Lindstrom wrote:
> No that is the only incorrect default.  It was missed in a last minute
> change before p2 release where we decided PAM (like Kerb, etc) are not to
> be enabled by default.
>
> The sshd_config has been corrected in the current CVS tree.
>
> - Ben
>
> On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote:
>
> > Hi Ben,
> >
> > Thanks for the reply.  I assumed that since the defaults (according to
the
> > header in the
> > sshd_config file) were commented out, UsePAM was already being
utilized,
> > since the file contained the line "#UsePAM yes."  I went
ahead and
> > uncommented the line anyway and it now works.  I wonder if the other
> > "defaults" are incorrect as well?  Anyway, thanks for the
info.  Saved a lot
> > of headaches!
> >
> > Cheers,
> > Steve
> >
> > Ben Lindstrom wrote:
> >
> > > If you are using pam please go into your sshd_config and put in:
> > >
> > > UsePam yes
> > >
> > > - Ben
> > >
> > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote:
> > >
> > > > Hello,
> > > >
> > > > I have recently download and compiled version 3.7.1p2 of
openssh, but am
> > > > having authentication issues with it.  I have been using
3.6.1p1 with no
> > > > problems.  Both versions were compiled on the same Solaris 8
host.  That
> > > > host uses ldap for its name service.  Both were compiled
using the same
> > > > openssh config options:
> > > >
> > > > --prefix=/opt/openssh --with-pam
--with-zlib=/opt/openssh/lib
> > > >
> > > > However, the 3.7.1p2 version will not let me (as a regular
user) login.
> > > > I get the all-too-familiar error:
> > > >
> > > > Permission denied (publickey,password,keyboard-interactive)
> > > >
> > > > I did the compiles the exact same way.  Why would one
compile work, but
> > > > not the other?  I would like to migrate to the newer
version, since it
> > > > has some security fixes.  Is there something I need to do
during
> > > > compile, or is this a runtime configuration thing?
> > > >
> > > > Thanks in advance,
> > > > Steve
> > > >
> > > > --
> > > >
> > > > Steve "Wheat" Belt              Motorola, Inc.
> > > > Steve.Belt at motorola.com         6501 William Cannon Dr.
West, MD OE341
> > > > 512-895-2268                    Austin, TX 78735
> > > >
> > > >
> > > > _______________________________________________
> > > > openssh-unix-dev mailing list
> > > > openssh-unix-dev at mindrot.org
> > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > > >
> >
> > --
> >
> > Steve "Wheat" Belt              Motorola, Inc.
> > Steve.Belt at motorola.com         6501 William Cannon Dr. West, MD
OE341
> > 512-895-2268                    Austin, TX 78735
> >
> >
> >
--

Steve "Wheat" Belt              Motorola, Inc.
Steve.Belt at motorola.com         6501 William Cannon Dr. West, MD OE341
512-895-2268                    Austin, TX 78735

Hello,

I sent this a couple of weeks ago, but got no response.  I can only
assume that nobody has experienced this problem.  Anyway, I thought I
would try again just in case.  As a preface, this was compiled and is
running on a Solaris 8 system that uses ldap as its name service.  The
"--with-pam" switch was used during config and "UsePam yes"
is in the
sshd_config file.  Here is the issue:

When a user types in the wrong password, there is a long delay and then
the message "Connection closed" appears.  With 3.6.1p1, a wrong
password
would result in an immediate message "Permission denied, please try
again" and the user would be asked to re-enter the password.  I can
reduce the delay by setting "LoginGraceTime" to some smaller number,
but
why does the connection close instead of asking for another password?

BTW, this does not happen on a Solaris 8 system that uses nis as its
name service.  The behavior is as expected, with the user being asked to
re-enter the password.

Any help would be appreciated.

Thanks,
Steve

--

Steve "Wheat" Belt              Motorola, Inc.
Steve.Belt at motorola.com         6501 William Cannon Dr. West, MD OE341
512-895-2268                    Austin, TX 78735