thr3ads.net - openssh unix dev - Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam

If this information is useful, please help other people find it:
Share via:

Sangeeth Saravanaraj

2014-Mar-05 18:46 UTC

Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3

I want to configure secure shell access to a Linux machine where allowed
users are stored in an sqlite3 database and not in the /etc/passwd,
/etc/shadow and /etc/group. I use PAM for user authentication. In this case
I use
libpam_sqlite<https://github.com/sangeeths/libpam-sqlite/blob/master/README_pam_sqlite3>which
performs PAM actions like auth, account, password, etc on user data
stored in an sqlite3 database.

I have the following configuration in my /etc/pam.d/sshd

    auth        required    /lib/security/pam_sqlite3.so
    account     required    /lib/security/pam_sqlite3.so
    password    required    /lib/security/pam_sqlite3.so

When I tried to ssh to the box using a userid which is residing in the
sqlite3 database only (and not in /etc/passwd), the authentication failed.
The problem I found was, when an ssh is attempted, OpenSSH module is trying
to get the user info from the /etc/passwd file and when it found that the
user does not exist, it passes "#010#012#015#177INCORRECT" as the
password
(and discards the password entered by the user) to the libpam_sqlite
module. Then obviously the libpam_sqlite3 denies access to the user because
the password is incorrect!

When looked into the OpenSSH code, I found that getpwnam() in
auth.c::getpwnamallow() sets pw = NULL and so the following message appears!

debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
Invalid user XXXXXX from A.B.C.D

Now, to the questions:

   1. Why does OpenSSH replaces the password entered by the user with the
   bad password - "\b\n\r\177INCORRECT" when the user is not present
in the
   /etc/passwd file?
   2. Is there a way to tell OpenSSH not to override the password entered
   by the user?
   3. Is it really possible to authenticate a user based on an sqlite3
   database when the user record is not present in the /etc/passwd,
   /etc/shadow and /etc/group?

Thank you,

Sangeeth

Karl O. Pinc

2014-Mar-05 19:00 UTC

head link

Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3

On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:> I want to configure secure shell access to a Linux machine where
> allowed
> users are stored in an sqlite3 database and not in the /etc/passwd,
> /etc/shadow and /etc/group. I use PAM for user authentication.
I can't speak to the internals but have you set 
UsePAM Yes in sshd_config?



Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Maybe Matching Threads

Search for more apparently analagous threads

openssh unix dev - Mar 2014 - Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3

Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3

Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3

Maybe Matching Threads