Hi all. OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005 on Solaris 8 using host-based authentication. With "PrivilegeSeparation yes" and "UsePAM no" everything works as desired. If I enable PAM, I am able to connect, but just before it gives me a shell, it disconnects. If I leave PAM enabled and disable PrivilegeSeparation, it works. Is this a current limitation, or is there something I can try? -------------- Lets Go Canes! ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
On Mon, 29 Aug 2005, Lets Go Canes wrote:> Hi all. > > OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005 on Solaris 8 using host-based > authentication. > > With "PrivilegeSeparation yes" and "UsePAM no" everything works as > desired. If I enable PAM, I am able to connect, but just before it > gives me a shell, it disconnects. If I leave PAM enabled and disable > PrivilegeSeparation, it works. > > Is this a current limitation, or is there something I can try?Must be a local problem. I'm not seeing any problem here with host-based auth. I tried both local account and LDAP account. .... tim at sun1 1% id uid=31(tim) gid=85(trr) tim at sun1 2% grep ":31:" /etc/passwd tim at sun1 3% grep UsePAM /etc/ssh/sshd_config UsePAM yes tim at sun1 4% uname -r 5.8 tim at sun1 5% ssh -V OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005 tim at sun1 6% ps -fu tim UID PID PPID C STIME TTY TIME CMD tim 504 502 0 11:20:02 ? 0:00 /opt/mt/openssh/sbin/sshd -R tim 506 504 0 11:20:02 pts/3 0:00 -csh tim at sun1 7% grep PrivilegeSeparation /etc/ssh/sshd_config #UsePrivilegeSeparation yes .... Try running sshd -ddd and see if the debug output sheds any light.> > -------------- > Lets Go Canes! >Tim Rice Multitalents (707) 887-1469 tim at multitalents.net
Hi all.> Try running sshd -ddd and see if the debug output sheds any light.Thank you for the suggestion. The sshd side appears to just see the child go away: debug3: mm_answer_pty: tty /dev/pts/5 ptyfd 9 debug2: monitor_read: 25 used once, disabling now debug3: mm_request_receive entering debug1: PAM: setting PAM_TTY to "/dev/pts/5" debug2: fd 4 setting TCP_NODELAY debug1: Entering interactive session. debug1: Received SIGCHLD. debug2: fd 10 setting O_NONBLOCK debug3: fd 12 is O_NONBLOCK debug2: fd 14 setting O_NONBLOCK debug2: fd 15 setting O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: End of interactive session; stdin 0, stdout (read 102, sent 102), stderr 0 bytes. debug1: Command exited with status 254. debug1: Received exit confirmation. [...] The client side appears to be creating the session, but before it can give a shell prompt, it dies: [...] debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug2: fd 4 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Last login: Mon Aug 29 16:27:54 2005 from xyzzy.plugh.c debug3: PAM session not opened, exiting Connection to ssh-host closed. debug1: Transferred: stdin 0, stdout 102, stderr 31 bytes in 0.0 seconds debug1: Bytes per second: stdin 0.0, stdout 5185.8, stderr 1576.1 debug1: Exit status 254 [...] Note the message: debug3: PAM session not opened, exiting I am also seeing in /var/adm/messages: Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error] open_module: stat(/lib/security/pam_limits.so) failed: No such file or directory Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error] load_modules: can not open module /lib/security/pam_limits.so Aug 29 16:47:55 ssh-host sshd[26773]: [ID 800047 auth.error] error: PAM: pam_open_session(): Dlopen failure Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error] open_module: stat(/lib/security/pam_nologin.so) failed: No such file or directory Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error] load_modules: can not open module /lib/security/pam_nologin.so Note the "pam_open_session(): Dlopen failure" I get the same behavior from multiple accounts (using different shells and skeleton files). I can work-around the problem by disabling either PAM and/or PrivSep in sshd_config, but in my production environment PAM support will be required, and PrivilegeSeparation is viewed as highly desirable. -------------- Lets Go Canes! ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
On Mon, 29 Aug 2005, Lets Go Canes wrote:> Hi all. > > > Try running sshd -ddd and see if the debug output sheds any light. > > Thank you for the suggestion. > > The sshd side appears to just see the child go away: >[snip]> Last login: Mon Aug 29 16:27:54 2005 from xyzzy.plugh.c > debug3: PAM session not opened, exiting > Connection to ssh-host closed. > debug1: Transferred: stdin 0, stdout 102, stderr 31 bytes in 0.0 > seconds > debug1: Bytes per second: stdin 0.0, stdout 5185.8, stderr 1576.1 > debug1: Exit status 254 > [...] > > Note the message: debug3: PAM session not opened, exiting > > I am also seeing in /var/adm/messages: > > Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error] > open_module: stat(/lib/security/pam_limits.so) failed: No such file or > directoryLooks like a PAM configuration problem. What does your /etc/pam.conf look like?> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error] > load_modules: can not open module /lib/security/pam_limits.so > Aug 29 16:47:55 ssh-host sshd[26773]: [ID 800047 auth.error] error: > PAM: pam_open_session(): Dlopen failure > Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error] > open_module: stat(/lib/security/pam_nologin.so) failed: No such file or > directory > Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error] > load_modules: can not open module /lib/security/pam_nologin.so > > Note the "pam_open_session(): Dlopen failure" > > I get the same behavior from multiple accounts (using different shells > and skeleton files). > > I can work-around the problem by disabling either PAM and/or PrivSep > in sshd_config, but in my production environment PAM support will be > required, and PrivilegeSeparation is viewed as highly desirable. > > > -------------- > Lets Go Canes! >Tim Rice Multitalents (707) 887-1469 tim at multitalents.net
Hi all. --- Tim Rice <tim at multitalents.net> wrote:> Looks like a PAM configuration problem. > > What does your /etc/pam.conf look like?As far as I am aware, it is the Solaris default: # #ident "@(#)pam.conf 1.16 01/01/24 SMI" # # Copyright (c) 1996-2000 by Sun Microsystems, Inc. # All rights reserved. # # PAM configuration # # Authentication management # login auth required /usr/lib/security/$ISA/pam_unix.so.1 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Account management # login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required /usr/lib/security/$ISA/pam_projects.so.1 login account required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required /usr/lib/security/$ISA/pam_projects.so.1 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 # other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_projects.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # other password required /usr/lib/security/$ISA/pam_unix.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_p ass #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass # # Support for Solaris PPP (sppp) ppp auth required /usr/lib/security/$ISA/pam_unix.so.1 ppp auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 ppp account requisite /usr/lib/security/$ISA/pam_roles.so.1 ppp account required /usr/lib/security/$ISA/pam_projects.so.1 ppp account required /usr/lib/security/$ISA/pam_unix.so.1 ppp session required /usr/lib/security/$ISA/pam_unix.so.1 -------------- Lets Go Canes! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com