search for: auth2_challenge

...e password_authentication option was ignored, patch follows. Wichert. diff -wur org/openssh-2.5.2p2/auth2.c openssh-2.5.2p2/auth2.c --- org/openssh-2.5.2p2/auth2.c Sun Mar 11 21:01:56 2001 +++ openssh-2.5.2p2/auth2.c Mon Jun 4 23:31:54 2001 @@ -397,7 +397,7 @@ authenticated = auth2_challenge(authctxt, devs); #ifdef USE_PAM - if (authenticated == 0) + if (options.password_authentication && authenticated == 0) authenticated = auth2_pam(authctxt); #endif xfree(lang); -- _________________________________________________________________ /...

...debug1: userauth-request for user alice$ service ssh-connection method keyboard-interactive [preauth] May 25 13:43:44 alice sshd[29647]: debug1: attempt 4 failures 3 [preauth] May 25 13:43:44 alice sshd[29647]: debug1: keyboard-interactive devs [preauth] May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge: user=alice$ devs= [preauth] May 25 13:43:44 alice sshd[29647]: debug1: kbdint_alloc: devices 'pam' [preauth] May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] I am confused. Is there something what i forgotten? PAM? I r...

...none for cheekoon from 127.0.0.1 port 32948 ssh2 > Failed none for cheekoon from 127.0.0.1 port 32948 ssh2 > debug1: userauth-request for user cheekoon service ssh-connection method > keyboard-interactive > debug1: attempt 1 failures 1 > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=cheekoon devs= > debug1: kbdint_alloc: devices '' > Failed keyboard-interactive for cheekoon from 127.0.0.1 port 32948 ssh2 > debug1: userauth-request for user cheekoon service ssh-connection method > password > debug1: attempt 2 failures 2 > debug1: PAM Password aut...

...4748 debug: SSH2_MSG_NEWKEYS received debug: userauth-request for user terter service ssh-connection method none debug: attempt 0 failures 0 debug: userauth-request for user terter service ssh-connection method keyboard-interactive debug: attempt 1 failures 1 debug: keyboard-interactive devs debug: auth2_challenge: user=terter devs= debug: kbdint_alloc: devices '' debug: userauth-request for user terter service ssh-connection method password debug: attempt 2 failures 2 Accepted password for terter from 172.23.1.174 port 1331 ssh2 Accepted password for terter from 172.23.1.174 port 1331 ssh2 debug: E...

...PAM: setting PAM_TTY to "ssh" Failed none for root from x.x.x.x port 2319 ssh2 Failed none for root from x.x.x.x port 2319 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for root from x.x.x.x port 2319 ssh2 Postponed keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 Accepted keyboard-intera...

...t; debug1: PAM: setting PAM_RHOST to "10.10.0.34" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth] debug1: attempt 1 failures 0 [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=root devs= [preauth] debug1: kbdint_alloc: devices 'pam' [preauth] debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Postponed keyboard-interactive for root from 10.10.0.34 port 38327 ssh2 [preauth] PAM: Authentication failure for root from 10.10.0.34...

...r sshd[23109]: debug1: attempt 2 failures 1 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: try method keyboard-interactive [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: keyboard-interactive devs [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: auth2_challenge: user=root devs= [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: kbdint_alloc: devices 'pam' [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: auth2_challenge_start: devices pam [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kbdint_next_device: devices <empty...

...es ECHO_OFF and > ECHO_ON should be combined into a single case, as should the ERROR_MSG > and TEXT_INFO cases; just as you do in sshpam_query(). > > The code as a whole /is/ far cleaner than what exists currently, so that > is a big plus. > > I dislike that kbdint is run via auth2_challenge() and all the refs > to "challenge". It's not necessarily a challenge. > > /fc

...Don't know if this is specific to my system or to Linux in general. On Solaris 9 SPARC, everything works fine. The last lines displayed by "sshd -D -d -d -d -4" are: [...] debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=fubar devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for fubar from 127.0.0.1 port 51264 ssh2 debug3: Trying to reverse map address 127.0.0.1. debug1: do_cleanup And "strace -f sshd -D -4" says: [...] [pid...

...debug1: PAM: setting PAM_RHOST to "172.22.100.17" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user kmk service ssh-connection method keyboard-interactive [preauth] debug1: attempt 1 failures 0 [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=kmk devs= [preauth] debug1: kbdint_alloc: devices 'pam,skey' [preauth] debug1: auth2_challenge_start: trying authentication method 'skey' [preauth] Postponed keyboard-interactive for kmk from 172.22.100.17 port 56339 ssh2 [preauth] auth2_update_methods_lists: method not in Aut...

...public key file /home/dummy/.ssh/authorized_keys2 debug1: restore_uid: 0/0 Failed publickey for dummy from 192.168.247.63 port 34762 ssh2 debug1: userauth-request for user dummy service ssh-connection method keyboard-interactive debug1: attempt 3 failures 3 debug1: keyboard-interactive devs debug1: auth2_challenge: user=dummy devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for dummy from 192.168.247.63 port 34762 ssh2 debug1: userauth-request for user dummy service ssh-connection method password debug1: attempt 4 failures 4 debug1: do_cleanup Segmentation fault(coredump) ________...

...ser user1 service ssh-connection method none debug1: attempt 0 failures 0 Failed none for user1 from 192.xx.xx.xx port 49297 ssh2 debug1: userauth-request for user user1 service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=user1 devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for user1 from 192.xx.xx.xx port 49297 ssh2 debug1: userauth-request for user user1 service ssh-connection method password debug1: attempt 2 failures 2 kerberos-iv/udp unknown service, using default port 7...

...ed none for illegal user jvijayku from 64.104.131.187 port 33729 ssh2 debug1: userauth-request for user jvijayku service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=jvijayku devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices <empty> debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 1 Postpone...

...r not authenticated Failed none for root from 192.168.0.66 port 32982 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for root from 192.168.0.66 port 32982 ssh2 debug1: userauth-request for user root service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_r...

...took me a bit to wrap my head around privsep, but I think it's working properly (code stolen shamelessly from FBSD's PAM implementation :->). The hardest part was working out how to get the interaction between krb5_get_init_creds_password() (along with the prompter) to work with the auth2_challenge routines, as the logic between the two are very similar. I ended up doing the following: - using a state machine and some global data to communicate between the KbdintDevice routines, krb5_g_i_c_p() and the prompter - rolled my own prompts, ignoring those generated by krb5_g_i_c_p()...

...=================================== RCS file: /cvs/openssh/auth2-kbdint.c,v retrieving revision 1.1 diff -u -p -r1.1 auth2-kbdint.c --- auth2-kbdint.c 6 Jun 2002 20:27:56 -0000 1.1 +++ auth2-kbdint.c 1 Mar 2003 17:37:41 -0000 @@ -50,7 +50,13 @@ userauth_kbdint(Authctxt *authctxt) authenticated = auth2_challenge(authctxt, devs); #ifdef USE_PAM - if (authenticated == 0 && options.pam_authentication_via_kbd_int) + /* In the normal case, try PAM if challenge-response failed. + However, if this was a prerequisite challenge-response + authentication attempt, and PAM auth is permitted as a +...

...'m doing here is awful, but it illustrates the problem. I did try to change pam-auth.c to defer user-mapping until after we open the accounting session, but this seems to be non-trivial. Please advise on the best approach from here. Here is the debug output for sshd without my hack: debug1: auth2_challenge: user=tacuser devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for tacuser from 192.168.0.104 port 37235 ssh2 debug1: sshpam_check_userchanged debug1: PAM: user mapped from 'tacuser' to...

...iled publickey for illegal user root from xxx.xxx.xxx.xxx port 45624 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-in teractive debug1: attempt 3 failures 3 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for illegal user root from xxx.xxx.xxx.xxx port nnnnn ssh2 Connection closed by xxx.xxx.xxx.xxx debug1: Calling cleanup 0x2002a790(0x0) debug1: Calling cleanup 0x2002a790(0x...

I added an EXPLICIT AuthenticationMethods publickey,keyboard-interactive + UsePam yes to sshd_config. Now, at connect attempt I get Password: Verification code: Password: Verification code: Password: ... I.e., It's asking for Password, not accepting pubkey AND when given the password (which is correct), and the GA VerificationCode, it simply repeats the credentials request.

...authorized_keys debug1: trying public key file /Users/themac/.ssh/authorized_keys2 Failed publickey for themac from ::1 port 55838 ssh2 debug1: userauth-request for user themac service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug1: keyboard-interactive devs debug1: auth2_challenge: user=themac devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for themac from ::1 port 55838 ssh2 debug1: userauth-request for user themac service ssh-connection method password debug1: attempt 3 failures 3 Failed password for themac from ::1 port 55838 ssh2 Failed passwor...