Hosung Song
2009-Feb-04 00:58 UTC
SSH PAM authentication/login with a new user DB (through NSS)
Hello, I'm a novice system programmer and I need some knowledge about how sshd/PAM/NSS work together. The email may be long and unclear, but I would greatly appreciate if any one could give me some info. TIA. I'm developing a new authentication module for Linux login service. I'm like a novice developer in this area, so I had to study this and that. I started with PAM naively, and the example PAM application seemed authenticating the user all right. When I tried my PAM module on ssh server, it always returned " INCORRECT" as the entered password, even though a correct password was entered. I admit that that led me to look into sshd's source code, and realized that sshd require that every user attempting to login should be valid in the sense that getpwnam() returns a correct passwd struct. So, I realized again that I needed to implement a new NSS (Name Service Switch) module myself for this additional authentication method. I tested my NSS module with example queries of getpwnam() and getpwuid(), so I tried to integrate and test everything with sshd. Now, sshd recognizes the users and entered passwords are accepted, so the PAM module successfully authenticate. It can be confirmed through the following /var/log/auth.log line: Feb 3 14:54:11 dharma sshd[7843]: Accepted keyboard-interactive/pam for hosungs at gmail.com from 127.0.0.1 port 48748 ssh2 However, before the login prompt is granted, the connection is closed. The corresponding debug log is as follows: ... Feb 3 14:54:11 dharma sshd[7863]: debug1: Allocating pty. Feb 3 14:54:11 dharma sshd[7863]: debug3: mm_request_send entering: type 26 Feb 3 14:54:11 dharma sshd[7863]: debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY Feb 3 14:54:11 dharma sshd[7863]: debug3: mm_request_receive_expect entering: type 27 Feb 3 14:54:11 dharma sshd[7863]: debug3: mm_request_receive entering Feb 3 14:54:11 dharma sshd[7843]: debug2: User child is on pid 7863 Feb 3 14:54:11 dharma sshd[7843]: debug3: mm_request_receive entering Feb 3 14:54:11 dharma sshd[7843]: debug3: monitor_read: checking request 26 Feb 3 14:54:11 dharma sshd[7843]: debug3: mm_answer_pty entering Feb 3 14:54:11 dharma sshd[7843]: debug1: session_new: init Feb 3 14:54:11 dharma sshd[7843]: debug1: session_new: session 0 Feb 3 14:54:11 dharma sshd[7843]: debug1: SELinux support disabled Feb 3 14:54:11 dharma sshd[7843]: fatal: login_init_entry: Cannot find user "" Feb 3 14:54:11 dharma sshd[7843]: debug1: do_cleanup Feb 3 14:54:11 dharma sshd[7843]: debug1: PAM: cleanup Feb 3 14:54:11 dharma sshd[7843]: debug3: PAM: sshpam_thread_cleanup entering Feb 3 14:54:11 dharma sshd[7843]: debug1: session_pty_cleanup: session 0 release /dev/pts/4 Feb 3 14:54:11 dharma sshd[7843]: fatal: login_init_entry: Cannot find user "" Feb 3 14:54:11 dharma sshd[7843]: debug1: do_cleanup Feb 3 14:54:11 dharma sshd[7863]: debug1: do_cleanup Feb 3 14:54:11 dharma sshd[7863]: debug1: PAM: cleanup Feb 3 14:54:11 dharma sshd[7863]: debug3: PAM: sshpam_thread_cleanup entering ... It looks like login_init_entry()'s username parameter (which is passed through login_alloc_entry(), record_login(), and do_login(), where the passwd struct is assigned s->pw of the Session parameter s), and this passwd struct is somehow different (blank?) from the one filled earlier by my NSS module at the time of authentication. I tried to analyze the sshd source code as much as possible to figure out how the passwd structs are related (noticed that PAM authentication is done by a separate thread, and I'm not sure how the getpwnam() result obtained in the sshpam thread is passed back to the parent thread), but my lack of patience or expertise keeps me from making any further progress. I think I may be missing something in my PAM module, but that isn't very clear either. Any of your expert comments would be greatly appreciated. I'm not yet a subscriber of this mailing list, so I may need to be CC'ed in your response. Thanks, Hosung Song
Christian Pfaffel-Janser
2009-Feb-04 15:33 UTC
SSH PAM authentication/login with a new user DB (through NSS)
Hosung Song wrote:> Hello, > > > I tried to analyze the sshd source code as much as possible to figure > out how the passwd structs are related (noticed that PAM authentication > is done by a separate thread, and I'm not sure how the getpwnam() result > obtained in the sshpam thread is passed back to the parent thread), but > my lack of patience or expertise keeps me from making any further > progress. I think I may be missing something in my PAM module, but that > isn't very clear either. > > Any of your expert comments would be greatly appreciated. I'm not yet a > subscriber of this mailing list, so I may need to be CC'ed in your response. > > Thanks, > > Hosung Song > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >Hi, just a wild guess, does it work if You turn PriviledgeSeparation off. Best regards, Christian -- Firma: Siemens Aktiengesellschaft ?sterreich Rechtsform: Aktiengesellschaft Firmensitz: Wien, Firmenbuchnummer: FN 60562 m Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708