[ Sorry for the length of this; I felt it better to provide potentially
too much info, rather than not enough. I've probably missed something
that's important, though! ]
I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and
"UsePrivilegeSeparation no" is set. The code detects that the user
password is aged (according to shadow) but then fails to let me change
the password:
% ssh -p 2222 fred at localhost
fred at localhost's password:
You are required to change your password immediately (password aged)
Last login: Thu Oct 16 14:28:14 2008 from localhost.localdomain
Connection to localhost closed.
If I run the server in -ddd mode,
% ssh fred at localhost -p 2222
fred at localhost's password:
You are required to change your password immediately (password aged)
Last login: Thu Oct 16 14:56:04 2008 from localhost.localdomain
debug1: PAM: changing password
PAM: pam_chauthtok(): Authentication token manipulation error
debug1: do_cleanup
Connection to localhost closed.
On the server side, I see
Failed publickey for fred from 127.0.0.1 port 32786 ssh2
debug1: userauth-request for user fred service ssh-connection method password
debug1: attempt 3 failures 2
debug2: input_userauth_request: try method password
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for fred
debug1: do_pam_account: called
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no
longer valid; new one required.)
debug3: sshpam_password_change_required 1
Accepted password for fred from 127.0.0.1 port 32786 ssh2
debug1: PAM: establishing credentials
debug3: PAM: opening session
debug1: Entering interactive session for SSH2.
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions at openssh.com
want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug3: tty_parse_modes: SSH2 n_bytes 256
debug3: tty_parse_modes: ospeed 38400
debug3: tty_parse_modes: ispeed 38400
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug2: fd 3 setting TCP_NODELAY
debug2: channel 0: rfd 8 isatty
debug2: fd 8 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 6942
debug1: session_exit_message: session 0 channel 0 pid 6942
debug2: channel 0: request exit-status confirm 0
debug1: session_exit_message: release channel 0
[channel closing debug messages]
debug1: channel 0: free: server-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)
debug3: channel 0: close_fds r -1 w -1 e -1 c -1
Connection closed by 127.0.0.1
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session
debug3: PAM: sshpam_thread_cleanup entering
Transferred: sent 2240, received 2512 bytes
Closing connection to 127.0.0.1 port 32786
If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then
the password
change process works...
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fred.
Changing password for fred
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Connection to localhost closed.
(that logout and login again process is annoying)
The error message received looks very similar to a problem Darren had
with LinuxPAM back in 2004 about setting the conversation, but I can't
find if this was ever resolved
http://osdir.com/ml/pam/2004-06/msg00028.html
Of course the RedHat provided OpenSSH3.6 package (with their gazillion
patches) works just fine; allows the password to be changed and doesn't
force a logout/login again.
Any ideas? I'm trying to standardise on a single version of OpenSSH over
all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking
at me pretty funny when my replacement package can't perform as well as
the OS provided one! (Of course it works fine on RHEL2.1, RHEL4 and
Solaris, but we have a large RHEL3 footprint)
sshd_config contents...
#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/myssh/ssh/ssh_host_key
#HostKey /etc/myssh/ssh/ssh_host_rsa_key
#HostKey /etc/myssh/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
LoginGraceTime 1m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /etc/myssh/ssh/auth_keys/%u
#RhostsRSAAuthentication no
#HostbasedAuthentication no
#IgnoreUserKnownHosts no
#IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
# Banner /etc/issue
# override default of no subsystems
Subsystem sftp /opt/myssh/libexec/sftp-server
Server:
RedHat Enterprise Linux 3
Linux 2.4.21-47.0.1.EL
pam-0.75-72
OpenSSH_5.1p1, OpenSSL 0.9.7k 05 Sep 2006
Thanks for your time!
--
rgds
Stephen
On 16.10.2008 23:43, Stephen Harris wrote:> [ Sorry for the length of this; I felt it better to provide potentially > too much info, rather than not enough. I've probably missed something > that's important, though! ] > > I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and > "UsePrivilegeSeparation no" is set. The code detects that the user > password is aged (according to shadow) but then fails to let me change > the password: > > % ssh -p 2222 fred at localhost > fred at localhost's password: > You are required to change your password immediately (password aged) > Last login: Thu Oct 16 14:28:14 2008 from localhost.localdomain > Connection to localhost closed. > > If I run the server in -ddd mode, > % ssh fred at localhost -p 2222 > fred at localhost's password: > You are required to change your password immediately (password aged) > Last login: Thu Oct 16 14:56:04 2008 from localhost.localdomain > debug1: PAM: changing password > PAM: pam_chauthtok(): Authentication token manipulation error > debug1: do_cleanup > Connection to localhost closed. > > On the server side, I see > > Failed publickey for fred from 127.0.0.1 port 32786 ssh2 > debug1: userauth-request for user fred service ssh-connection method password > debug1: attempt 3 failures 2 > debug2: input_userauth_request: try method password > debug3: PAM: sshpam_passwd_conv called with 1 messages > debug1: PAM: password authentication accepted for fred > debug1: do_pam_account: called > debug3: PAM: sshpam_passwd_conv called with 1 messages > debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required.) > debug3: sshpam_password_change_required 1 > Accepted password for fred from 127.0.0.1 port 32786 ssh2 > debug1: PAM: establishing credentials > debug3: PAM: opening session > debug1: Entering interactive session for SSH2. > debug2: fd 4 setting O_NONBLOCK > debug2: fd 5 setting O_NONBLOCK > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug2: session_new: allocate (allocated 0 max 10) > debug3: session_unused: session id 0 unused > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 > debug1: server_input_channel_req: channel 0 request pty-req reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_pty_req: session 0 alloc /dev/pts/2 > debug3: tty_parse_modes: SSH2 n_bytes 256 > debug3: tty_parse_modes: ospeed 38400 > debug3: tty_parse_modes: ispeed 38400 > debug1: server_input_channel_req: channel 0 request shell reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > debug1: Setting controlling tty using TIOCSCTTY. > debug2: fd 3 setting TCP_NODELAY > debug2: channel 0: rfd 8 isatty > debug2: fd 8 setting O_NONBLOCK > debug3: fd 6 is O_NONBLOCK > debug1: Received SIGCHLD. > debug1: session_by_pid: pid 6942 > debug1: session_exit_message: session 0 channel 0 pid 6942 > debug2: channel 0: request exit-status confirm 0 > debug1: session_exit_message: release channel 0 > > [channel closing debug messages] > > debug1: channel 0: free: server-session, nchannels 1 > debug3: channel 0: status: The following connections are open: > #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) > > debug3: channel 0: close_fds r -1 w -1 e -1 c -1 > Connection closed by 127.0.0.1 > debug1: do_cleanup > debug1: PAM: cleanup > debug1: PAM: deleting credentials > debug1: PAM: closing session > debug3: PAM: sshpam_thread_cleanup entering > Transferred: sent 2240, received 2512 bytes > Closing connection to 127.0.0.1 port 32786 > > If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then the password > change process works... > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user fred. > Changing password for fred > (current) UNIX password: > New UNIX password: > Retype new UNIX password: > passwd: all authentication tokens updated successfully. > Connection to localhost closed. > > (that logout and login again process is annoying) > > The error message received looks very similar to a problem Darren had > with LinuxPAM back in 2004 about setting the conversation, but I can't > find if this was ever resolved > http://osdir.com/ml/pam/2004-06/msg00028.html > > Of course the RedHat provided OpenSSH3.6 package (with their gazillion > patches) works just fine; allows the password to be changed and doesn't > force a logout/login again. > > Any ideas? I'm trying to standardise on a single version of OpenSSH over > all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking > at me pretty funny when my replacement package can't perform as well as > the OS provided one! (Of course it works fine on RHEL2.1, RHEL4 and > Solaris, but we have a large RHEL3 footprint) > > sshd_config contents... > > #Port 22 > #Protocol 2,1 > #AddressFamily any > #ListenAddress 0.0.0.0 > #ListenAddress :: > #HostKey /etc/myssh/ssh/ssh_host_key > #HostKey /etc/myssh/ssh/ssh_host_rsa_key > #HostKey /etc/myssh/ssh/ssh_host_dsa_key > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 1h > #ServerKeyBits 768 > # Logging > #obsoletes QuietMode and FascistLogging > #SyslogFacility AUTH > #LogLevel INFO > # Authentication: > LoginGraceTime 1m > PermitRootLogin yes > #StrictModes yes > #MaxAuthTries 6 > RSAAuthentication yes > PubkeyAuthentication yes > AuthorizedKeysFile /etc/myssh/ssh/auth_keys/%u > #RhostsRSAAuthentication no > #HostbasedAuthentication no > #IgnoreUserKnownHosts no > #IgnoreRhosts yes > PasswordAuthentication yes > PermitEmptyPasswords no > ChallengeResponseAuthentication no > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > UsePAM yes > #AllowTcpForwarding yes > #GatewayPorts no > X11Forwarding yes > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PrintMotd yes > #PrintLastLog yes > #TCPKeepAlive yes > #UseLogin no > UsePrivilegeSeparation no > #PermitUserEnvironment no > Compression yes > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #UseDNS yes > #PidFile /var/run/sshd.pid > #MaxStartups 10 > # no default banner path > # Banner /etc/issue > # override default of no subsystems > Subsystem sftp /opt/myssh/libexec/sftp-server > > Server: > RedHat Enterprise Linux 3 > Linux 2.4.21-47.0.1.EL > pam-0.75-72 > OpenSSH_5.1p1, OpenSSL 0.9.7k 05 Sep 2006 >The only thing I can suggest to you is upgrading PAM too. The latest stable PAM version is 1.0.2. Best of all get the latest PAM source package from Fedora Core development branch, replace the main tarball with 1.0.2 one, modify patches to fit that version, and build. That approach is time consuming, but reliable. -- Sincerely Your, Dan.
Stephen Harris wrote:> [ Sorry for the length of this; I felt it better to provide potentially > too much info, rather than not enough. I've probably missed something > that's important, though! ] > > I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and > "UsePrivilegeSeparation no" is set. The code detects that the user > password is aged (according to shadow) but then fails to let me change > the password: >[...]> If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then the password > change process works...This works because the password change is done by invoking /usr/bin/passwd, rather than by calling pam_chauthtok (the latter won't work in this case because when UsePrivilegeSeparation=yes, we have long since given up root privs). [...]> The error message received looks very similar to a problem Darren had > with LinuxPAM back in 2004 about setting the conversation, but I can't > find if this was ever resolved > http://osdir.com/ml/pam/2004-06/msg00028.htmlI think this was fixed in later versions of LinuxPAM but I also suspect the fix was never backported. You can check with the testcase I posted back then (which passes on my fedora 8 box): http://www.zip.com.au/~dtucker/openssh/wrong-conv-function.c> Of course the RedHat provided OpenSSH3.6 package (with their gazillion > patches) works just fine; allows the password to be changed and doesn't > force a logout/login again. > > Any ideas?You could disable PasswordAuthentication and require Protocol 2 with keyboard-interactive authentication, which will probably work since it does both authentication and password change through the same conversation function).> I'm trying to standardise on a single version of OpenSSH over > all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking > at me pretty funny when my replacement package can't perform as well as > the OS provided one! (Of course it works fine on RHEL2.1, RHEL4 and > Solaris, but we have a large RHEL3 footprint)It would be possible to hack around in sshd, however I don't think it's worth the effort since it's demonstrably a (since fixed) LinuxPAM bug. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.