Jayarama Vijay Kumar
2004-Jun-15 09:14 UTC
ssh daemon fails to call pam when user does not exist in /etc/passwd
Hi
We recenlty ugraded to openssh-3.7.1p2. Our architecture is
ssh daemon uses pam module which sends request to remote
radius/tacacs+ servers based on configuration.
Now if I create the user in /etc/passwd, then ssh daemon calls pam and
everthing works fine.
But if the user is not present in /etc/passwd, then ssh daemon is not
calling pam. The debug log is given below. All these were working in
prior versions. Any idea why there is dependency on local user accounts
? I have also given sshd's pam file
Any help is greatly appreciated
vijay
debug log
======
debug1: userauth-request for user jvijayku service ssh-connection method
none
debug1: attempt 0 failures 0
Illegal user jvijayku from 64.104.131.187
input_userauth_request: illegal user jvijayku
debug1: PAM: initializing for "jvijayku"
debug3: Trying to reverse map address 64.104.131.187.
debug1: PAM: setting PAM_RHOST to "64.104.131.187"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: input_userauth_request: try method none
Failed none for illegal user jvijayku from 64.104.131.187 port 33729 ssh2
debug1: userauth-request for user jvijayku service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=jvijayku devsdebug1: kbdint_alloc: devices
'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 1
Postponed keyboard-interactive for illegal user jvijayku from
64.104.131.187 port 33729 ssh2
debug3: ssh_msg_recv entering
PAM file
======# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
auth required pam_env.so
auth [authinfo_unavail=ignore auth_err=done success=done default=ok]
/isan/lib/libpam_aaa_auth.so
# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth required pam_unix.so nullok likeauth try_first_pass
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
shadow md5
password required /lib/security/pam_deny.so
Damien Miller
2004-Jun-15 09:32 UTC
ssh daemon fails to call pam when user does not exist in /etc/passwd
Jayarama Vijay Kumar wrote:> Hi > We recenlty ugraded to openssh-3.7.1p2. Our architecture is > ssh daemon uses pam module which sends request to remote > radius/tacacs+ servers based on configuration. > Now if I create the user in /etc/passwd, then ssh daemon calls pam and > everthing works fine. > But if the user is not present in /etc/passwd, then ssh daemon is not > calling pam. The debug log is given below. All these were working in > prior versions. Any idea why there is dependency on local user accounts > ? I have also given sshd's pam fileThis behaviour is by-design and we don't have any intentions of changing it. If your non-local login system doesn't support getpw* it won't work with OpenSSH (we aren't unique in this position). If you want to support non-local accounts then you need to use some NSS system (e.g. NIS, LDAP or on-the-fly getpw synthesis). -d
Darren Tucker
2004-Jun-15 09:33 UTC
ssh daemon fails to call pam when user does not exist in /etc/passwd
Jayarama Vijay Kumar wrote:> We recenlty ugraded to openssh-3.7.1p2. Our architecture is > ssh daemon uses pam module which sends request to remote > radius/tacacs+ servers based on configuration. > Now if I create the user in /etc/passwd, then ssh daemon calls pam and > everthing works fine. > But if the user is not present in /etc/passwd, then ssh daemon is not > calling pam. The debug log is given below. All these were working in > prior versions. Any idea why there is dependency on local user accounts > ? I have also given sshd's pam fileI posted a patch for this a while back (attached). It's only been lightly tested but it's worth a try. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-chall2-no-leak.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040615/c6299c7a/attachment.ksh