openssh unix dev - Nov 2004 - Solaris + PAM/LDAP + pubkey failing?

I've got a Solaris 8 and 9 box using LDAP to successfully authenticate
users.
I can get logged in via ssh using keyboard interactive (via PAM/LDAP). When 
I try to use pubkey authentication, both the pubkey as well as the fallback to
keyboard interactive always fail.  I've tried openssh versions as early as
3.4
and as new as the 11-06 snapshot with the same behavior.  Everything works fine 
on a linux machine which is configured to use PAM/LDAP and has openssh 3.9p1 
installed.  Logs follow.

Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
userauth-request for user testuser service ssh-connection method publickey
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: attempt 1
failures 1
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2:
input_userauth_request: try method publickey
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: test
whether pkalg/pkblob are acceptable
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
temporarily_use_uid: 999/1002 (e=0/0)
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: trying
public key file /home/testuser/.ssh/authorized_keys
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
restore_uid: 0/0
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
temporarily_use_uid: 999/1002 (e=0/0)
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: trying
public key file /home/testuser/.ssh/authorized_keys2
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3:
secure_filename: checking '/home/testuser/.ssh'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3:
secure_filename: checking '/home/testuser'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3:
secure_filename: terminating check at '/home/testuser'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: matching
key found: file /home/testuser/.ssh/authorized_keys2, line 3
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Found matching DSA
key: 6d:28:e4:fa:93:3a:69:7e:57:1d:cf:c2:36:55:4d:e4
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
restore_uid: 0/0
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2:
userauth_pubkey: authenticated 0 pkalg ssh-dss
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Postponed publickey
for testuser from 1.2.3.4 port 33457 ssh2

** snip -- it automatically tries pubkey auth 2 more times with the same error
**

Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
userauth-request for user testuser service ssh-connection method
keyboard-interactive
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: attempt 5
failures 3
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2:
input_userauth_request: try method keyboard-interactive
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
keyboard-interactive devs
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
auth2_challenge: user=testuser devsNov  9 10:00:07 sshserver sshd[27976]: [ID
800047 auth.debug] debug1: kbdint_alloc: devices 'pam'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2:
auth2_challenge_start: devices pam
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2:
kbdint_next_device: devices <empty>
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1:
auth2_challenge_start: trying authentication method 'pam'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM:
sshpam_init_ctx entering
Nov  9 10:00:07 sshserver sshd[27977]: [ID 384020 auth.debug] PAM[27977]:
pam_set_item(7f6e8:conv)
Nov  9 10:00:07 sshserver sshd[27977]: [ID 225850 auth.debug] PAM[27977]:
pam_authenticate(7f6e8, 1)
Nov  9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]:
load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]:
load_function: successful load of pam_sm_authenticate
Nov  9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]:
load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]:
load_function: successful load of pam_sm_authenticate
Nov  9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]:
load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]:
load_function: successful load of pam_sm_authenticate
Nov  9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]:
load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]:
load_function: successful load of pam_sm_authenticate
Nov  9 10:00:07 sshserver sshd[27977]: [ID 334087 auth.debug] PAM[27977]:
pam_get_user(7f6e8, 61746500, NULL)
Nov  9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: PAM:
sshpam_thread_conv entering, 1 messages
Nov  9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3:
ssh_msg_send: type 1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3:
ssh_msg_recv entering
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM:
sshpam_query entering
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3:
ssh_msg_recv entering
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Postponed
keyboard-interactive for testuser from 1.2.3.4 port 33457 ssh2
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: PAM:
sshpam_respond entering, 1 responses
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3:
ssh_msg_send: type 6
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM:
sshpam_query entering
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3:
ssh_msg_recv entering
Nov  9 10:00:52 sshserver sshd[27977]: [ID 384020 auth.debug] PAM[27977]:
pam_set_item(7f6e8:authtok)
Nov  9 10:00:52 sshserver last message repeated 1 time
Nov  9 10:00:52 sshserver sshd[27977]: [ID 334087 auth.debug] PAM[27977]:
pam_get_user(7f6e8, 0, NULL)
Nov  9 10:00:52 sshserver sshd[27977]: [ID 800047 auth.debug] debug3:
ssh_msg_send: type 9
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.error] error: PAM:
Success for testuser from co-klein-linux.trans.corp
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug2:
auth2_challenge_start: devices <empty>
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM:
sshpam_free_ctx entering
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM:
sshpam_thread_cleanup entering
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.info] Failed
keyboard-interactive/pam for testuser from 1.2.3.4 port 33457 ssh2

Keyboard interactive fails as well, note the "error: PAM: Success". 
If I move authorized_keys2 out
of the way, keyboard interactive works fine.

Any help is greatly appreciated.  

Thanks!

-Eli

Eli Klein wrote:
> I've got a Solaris 8 and 9 box using LDAP to successfully authenticate
users.
> I can get logged in via ssh using keyboard interactive (via PAM/LDAP). When
> I try to use pubkey authentication, both the pubkey as well as the fallback
to
> keyboard interactive always fail.  I've tried openssh versions as early
as 3.4
> and as new as the 11-06 snapshot with the same behavior.  Everything works
fine
> on a linux machine which is configured to use PAM/LDAP and has openssh
3.9p1
> installed.  Logs follow.
Which OpenSSH version are those logs from?  What do the sshd parts of 
/etc/pam.conf look like?  Do you have ldap listed in the passwd part of 
/etc/nsswitch.conf (I suspect you do, but it's worth checking).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.