thr3ads.net - openssh unix dev - OpenSSH >=7.0 and pam

If this information is useful, please help other people find it:
Share via:

Yemelyanenko Fyodor

2018-Mar-19 06:44 UTC

OpenSSH >=7.0 and pam_unix.so

Hello!

I have custom linux image based on CentOS 6.3
Linux kernel is 3.10.72-72

I now upgrading OpenSSH from 3.8 version to latest possible. Primarily I'm
interesting to upgrade SSHD
I've build openssh got from
https://ftp2.eu.openbsd.org/pub/OpenBSD/OpenSSH/portable/ with following
commands:
    ./configure --prefix=/usr --sysconfdir=/etc/ssh
--libexecdir=/usr/libexec/openssh --with-pam --with-privsep-path=/var/empty/sshd
--without-kerberos
    make

Build succeeded and able to deploy SSHD on my Linux.
SSHD successfully started.
If I use version <=6.9 I'm able to successfully login after upgrade
(tried with 5.1, 6.5 and 6.9)
If I use version >=7.0 I'm not able to login and get following error in
syslog (tried with 7.0, 7.5 and 7.6)

Mar 17 21:31:45 sshd[7961]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.170 user=admin

I also tried to upgrade pam_unix.so to version found in LinuxPAM 1.3.

For me it seems to be some issue with SSHD version >=7.0
May be there were some change related to pam_unix.so usage?

My /etc/pam.d/sshd file

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
account    required     pam_nologin.so
account    required     pam_disabled.so
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

and /etc/pam.d/system-auth file

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass likeauth nodelay
auth        required      pam_deny.so

account     required      pam_unix.so

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so

Darren Tucker

2018-Mar-19 11:22 UTC

head link

OpenSSH >=7.0 and pam_unix.so

On 19 March 2018 at 17:44, Yemelyanenko Fyodor <fyodor_e at hotmail.com>
wrote:
[...]> If I use version <=6.9 I'm able to successfully login after upgrade
(tried with 5.1, 6.5 and 6.9)
> If I use version >=7.0 I'm not able to login and get following error
in syslog (tried with 7.0, 7.5 and 7.6)
I don't know of any changes that would explain this and there's not
really enough information here to figure it out.

I suggest capturing the debug output (/path/to/sshd -ddde -p 222) from
6.9p1 and 7.0p1 to minimise the differences then compare the them to
see where they vary, then if the reason is not obvious please post
both here.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

openssh unix dev - Mar 2018 - OpenSSH >=7.0 and pam_unix.so

OpenSSH >=7.0 and pam_unix.so

OpenSSH >=7.0 and pam_unix.so