Hello, I have recently download and compiled version 3.7.1p2 of openssh, but am having authentication issues with it. I have been using 3.6.1p1 with no problems. Both versions were compiled on the same Solaris 8 host. That host uses ldap for its name service. Both were compiled using the same openssh config options: --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib However, the 3.7.1p2 version will not let me (as a regular user) login. I get the all-too-familiar error: Permission denied (publickey,password,keyboard-interactive) I did the compiles the exact same way. Why would one compile work, but not the other? I would like to migrate to the newer version, since it has some security fixes. Is there something I need to do during compile, or is this a runtime configuration thing? Thanks in advance, Steve -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735
If you are using pam please go into your sshd_config and put in: UsePam yes - Ben On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote:> Hello, > > I have recently download and compiled version 3.7.1p2 of openssh, but am > having authentication issues with it. I have been using 3.6.1p1 with no > problems. Both versions were compiled on the same Solaris 8 host. That > host uses ldap for its name service. Both were compiled using the same > openssh config options: > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib > > However, the 3.7.1p2 version will not let me (as a regular user) login. > I get the all-too-familiar error: > > Permission denied (publickey,password,keyboard-interactive) > > I did the compiles the exact same way. Why would one compile work, but > not the other? I would like to migrate to the newer version, since it > has some security fixes. Is there something I need to do during > compile, or is this a runtime configuration thing? > > Thanks in advance, > Steve > > -- > > Steve "Wheat" Belt Motorola, Inc. > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > 512-895-2268 Austin, TX 78735 > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
Hi Ben, Thanks for the reply. I assumed that since the defaults (according to the header in the sshd_config file) were commented out, UsePAM was already being utilized, since the file contained the line "#UsePAM yes." I went ahead and uncommented the line anyway and it now works. I wonder if the other "defaults" are incorrect as well? Anyway, thanks for the info. Saved a lot of headaches! Cheers, Steve Ben Lindstrom wrote:> If you are using pam please go into your sshd_config and put in: > > UsePam yes > > - Ben > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > > > Hello, > > > > I have recently download and compiled version 3.7.1p2 of openssh, but am > > having authentication issues with it. I have been using 3.6.1p1 with no > > problems. Both versions were compiled on the same Solaris 8 host. That > > host uses ldap for its name service. Both were compiled using the same > > openssh config options: > > > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib > > > > However, the 3.7.1p2 version will not let me (as a regular user) login. > > I get the all-too-familiar error: > > > > Permission denied (publickey,password,keyboard-interactive) > > > > I did the compiles the exact same way. Why would one compile work, but > > not the other? I would like to migrate to the newer version, since it > > has some security fixes. Is there something I need to do during > > compile, or is this a runtime configuration thing? > > > > Thanks in advance, > > Steve > > > > -- > > > > Steve "Wheat" Belt Motorola, Inc. > > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > > 512-895-2268 Austin, TX 78735 > > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735
No that is the only incorrect default. It was missed in a last minute change before p2 release where we decided PAM (like Kerb, etc) are not to be enabled by default. The sshd_config has been corrected in the current CVS tree. - Ben On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote:> Hi Ben, > > Thanks for the reply. I assumed that since the defaults (according to the > header in the > sshd_config file) were commented out, UsePAM was already being utilized, > since the file contained the line "#UsePAM yes." I went ahead and > uncommented the line anyway and it now works. I wonder if the other > "defaults" are incorrect as well? Anyway, thanks for the info. Saved a lot > of headaches! > > Cheers, > Steve > > Ben Lindstrom wrote: > > > If you are using pam please go into your sshd_config and put in: > > > > UsePam yes > > > > - Ben > > > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > > > > > Hello, > > > > > > I have recently download and compiled version 3.7.1p2 of openssh, but am > > > having authentication issues with it. I have been using 3.6.1p1 with no > > > problems. Both versions were compiled on the same Solaris 8 host. That > > > host uses ldap for its name service. Both were compiled using the same > > > openssh config options: > > > > > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib > > > > > > However, the 3.7.1p2 version will not let me (as a regular user) login. > > > I get the all-too-familiar error: > > > > > > Permission denied (publickey,password,keyboard-interactive) > > > > > > I did the compiles the exact same way. Why would one compile work, but > > > not the other? I would like to migrate to the newer version, since it > > > has some security fixes. Is there something I need to do during > > > compile, or is this a runtime configuration thing? > > > > > > Thanks in advance, > > > Steve > > > > > > -- > > > > > > Steve "Wheat" Belt Motorola, Inc. > > > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > > > 512-895-2268 Austin, TX 78735 > > > > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > -- > > Steve "Wheat" Belt Motorola, Inc. > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > 512-895-2268 Austin, TX 78735 > > >
Ben, Now that I have set "UsePAM yes" I am seeing another issue. When a user types in the wrong password, there is a long delay and then the message "Connection closed" appears. With 3.6.1p1, a wrong password would result in an immediate message "Permission denied, please try again" and the user would be asked to re-enter the password. I can reduce the delay by setting "LoginGraceTime" to some smaller number, but why does the connection close instead of asking for another password? Cheers, Steve Ben Lindstrom wrote:> No that is the only incorrect default. It was missed in a last minute > change before p2 release where we decided PAM (like Kerb, etc) are not to > be enabled by default. > > The sshd_config has been corrected in the current CVS tree. > > - Ben > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > > > Hi Ben, > > > > Thanks for the reply. I assumed that since the defaults (according to the > > header in the > > sshd_config file) were commented out, UsePAM was already being utilized, > > since the file contained the line "#UsePAM yes." I went ahead and > > uncommented the line anyway and it now works. I wonder if the other > > "defaults" are incorrect as well? Anyway, thanks for the info. Saved a lot > > of headaches! > > > > Cheers, > > Steve > > > > Ben Lindstrom wrote: > > > > > If you are using pam please go into your sshd_config and put in: > > > > > > UsePam yes > > > > > > - Ben > > > > > > On Tue, 21 Oct 2003, Steve Belt (rgpg70) wrote: > > > > > > > Hello, > > > > > > > > I have recently download and compiled version 3.7.1p2 of openssh, but am > > > > having authentication issues with it. I have been using 3.6.1p1 with no > > > > problems. Both versions were compiled on the same Solaris 8 host. That > > > > host uses ldap for its name service. Both were compiled using the same > > > > openssh config options: > > > > > > > > --prefix=/opt/openssh --with-pam --with-zlib=/opt/openssh/lib > > > > > > > > However, the 3.7.1p2 version will not let me (as a regular user) login. > > > > I get the all-too-familiar error: > > > > > > > > Permission denied (publickey,password,keyboard-interactive) > > > > > > > > I did the compiles the exact same way. Why would one compile work, but > > > > not the other? I would like to migrate to the newer version, since it > > > > has some security fixes. Is there something I need to do during > > > > compile, or is this a runtime configuration thing? > > > > > > > > Thanks in advance, > > > > Steve > > > > > > > > -- > > > > > > > > Steve "Wheat" Belt Motorola, Inc. > > > > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > > > > 512-895-2268 Austin, TX 78735 > > > > > > > > > > > > _______________________________________________ > > > > openssh-unix-dev mailing list > > > > openssh-unix-dev at mindrot.org > > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > > -- > > > > Steve "Wheat" Belt Motorola, Inc. > > Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 > > 512-895-2268 Austin, TX 78735 > > > > > >-- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735
Hello, I sent this a couple of weeks ago, but got no response. I can only assume that nobody has experienced this problem. Anyway, I thought I would try again just in case. As a preface, this was compiled and is running on a Solaris 8 system that uses ldap as its name service. The "--with-pam" switch was used during config and "UsePam yes" is in the sshd_config file. Here is the issue: When a user types in the wrong password, there is a long delay and then the message "Connection closed" appears. With 3.6.1p1, a wrong password would result in an immediate message "Permission denied, please try again" and the user would be asked to re-enter the password. I can reduce the delay by setting "LoginGraceTime" to some smaller number, but why does the connection close instead of asking for another password? BTW, this does not happen on a Solaris 8 system that uses nis as its name service. The behavior is as expected, with the user being asked to re-enter the password. Any help would be appreciated. Thanks, Steve -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735