Re: Solaris + OpenSSH + LDAP + PAM

From: Derek Harkness (dharknes_at_umd.umich.edu)
Date: 04/17/04

  • Next message: Darren Tucker: "Re: OpenSSH and pam_krb5"
    Date: Sat, 17 Apr 2004 00:30:08 -0400
    To: Jim Conner <jconner@lrn.com>
    
    
    

    Thanks for the comments. It appears the solution is to change my
    client settings. Which is a very difficult thing to do (2,000 SSH
    client installs and they all need to be redone woohoo). There were
    changes made to the PAM handling which prevents openssh from working
    the way I want it to. So in the mean time I've switch back to openssh
    3.4p1.

    Thanks again,
    Derek

    On Apr 2, 2004, at 9:50 AM, Jim Conner wrote:

    > What does /var/adm/messages and/or /var/log/syslog say (did I get those
    > paths right? Anyway, I believe you know what I am talking about :)?
    >
    > Any PAM messages in there related to building the connection and
    > authentication? Which version of ldap are you using?
    >
    > I believe that this is the problem:
    >
    > debug1: Client protocol version 1.99; client software version 3.2.9 SSH
    > Secure Shell for Windows
    > debug1: no match: 3.2.9 SSH Secure Shell for Windows
    > debug1: Enabling compatibility mode for protocol 2.0
    >
    > The compatibility mode for proto 2 *may* have something to do with it.
    > But,
    > admittedly, I am throwing rocks in the dark here. Have you tried
    > forcing
    > your client to use proto 2 only? Have you tried other clients like
    > putty?
    > Do they behave the same?
    >
    > ------------------------------------
    > Jim Conner | Systems Administrator
    > 310.209.5487 | http://www.lrn.com
    > LRN -- The Legal Knowledge Network
    >
    >
    > -----Original Message-----
    > From: Derek Harkness [mailto:dharknes@umd.umich.edu]
    > Sent: Thursday, April 01, 2004 7:09 AM
    > To: secureshell@securityfocus.com
    > Subject: Solaris + OpenSSH + LDAP + PAM
    >
    >
    > This has probably come up before but I haven't been able to find a
    > suitable answer.
    >
    > I've got openssh 3.8p1 installed on a solaris 8 system using PAM+LDAP
    > authentication. When I connect using the openssh client everything
    > works fine, but when I use the SSH, Inc Windows client I can't login.
    >
    > Some issues I've identified
    > 1) The Windows client defaults to Password authentication and won't
    > fall back to keyboard-interactive. But this doesn't seem to effect
    > logging into a Linux server using PAM + LDAP.
    >
    > 2)The server doesn't appear to pass tunneled password through to PAM.
    > When the client forces Password authentication I get "Could not get
    > shadow information for <username>" which to me says ssh is attempting
    > to lookup the user itself. Again this doesn't happen on the Linux
    > server which is also PAM+LDAP.
    >
    > Here is my pam.conf
    > sshd auth requisite pam_authtok_get.so.1
    > sshd auth sufficient pam_unix_auth.so.1
    > sshd auth required pam_ldap.so.1 debug use_first_pass
    > sshd account sufficient pam_ldap.so.1
    > sshd account required pam_unix_account.so.1
    > other session required pam_unix_session.so.1
    >
    > Here is my sshd_config
    > Protocol 2
    > PermitRootLogin no
    > PasswordAuthentication yes
    > ChallengeResponseAuthentication yes
    > UsePAM yes
    > X11Forwarding yes
    > PrintMotd no
    > UsePrivilegeSeparation yes
    > Compression yes
    > Subsystem sftp /usr/local/openssh-3.8p1/libexec/sftp-server
    >
    > Debug dump of sshd (sshd -ddd)
    > debug3: RNG is ready, skipping seeding
    > debug2: read_server_config: filename /etc/ssh/sshd_config
    > debug1: sshd version OpenSSH_3.8p1
    > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    > debug1: read PEM private key done: type RSA
    > debug1: private host key: #0 type 1 RSA
    > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
    > debug1: read PEM private key done: type DSA
    > debug1: private host key: #1 type 2 DSA
    > debug1: Bind to port 22 on ::.
    > Server listening on :: port 22.
    > debug1: Bind to port 22 on 0.0.0.0.
    > Server listening on 0.0.0.0 port 22.
    > debug1: Server will not fork when running in debugging mode.
    > Connection from xxx.xxx.xxx.xxx port 29485
    > debug1: Client protocol version 1.99; client software version 3.2.9 SSH
    > Secure Shell for Windows
    > debug1: no match: 3.2.9 SSH Secure Shell for Windows
    > debug1: Enabling compatibility mode for protocol 2.0
    > debug1: Local version string SSH-2.0-OpenSSH_3.8p1
    > debug3: privsep user:group 28574:1
    > debug1: permanently_set_uid: 28574/1
    > debug1: list_hostkey_types: ssh-rsa,ssh-dss
    > debug1: SSH2_MSG_KEXINIT sent
    > debug1: SSH2_MSG_KEXINIT received
    > debug2: kex_parse_kexinit:
    > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
    > cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
    > cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1
    > -96,hmac-md5-96
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1
    > -96,hmac-md5-96
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit: first_kex_follows 0
    > debug2: kex_parse_kexinit: reserved 0
    > debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
    > debug2: kex_parse_kexinit:
    > ssh-dss,ssh-rsa,x509v3-sign-dss,x509v3-sign-rsa
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,twofish-cbc,arcfour
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,twofish-cbc,arcfour
    > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
    > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
    > debug2: kex_parse_kexinit: none
    > debug2: kex_parse_kexinit: none
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit: first_kex_follows 0
    > debug2: kex_parse_kexinit: reserved 0
    > debug2: mac_init: found hmac-md5
    > debug1: kex: client->server aes128-cbc hmac-md5 none
    > debug2: mac_init: found hmac-md5
    > debug1: kex: server->client aes128-cbc hmac-md5 none
    > debug2: Network child is on pid 22534
    > debug3: preauth child monitor started
    > debug3: mm_request_receive entering
    > debug2: dh_gen_key: priv key bits set: 126/256
    > debug2: bits set: 514/1024
    > debug1: expecting SSH2_MSG_KEXDH_INIT
    > debug2: bits set: 510/1024
    > debug3: mm_key_sign entering
    > debug3: mm_request_send entering: type 4
    > debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
    > debug3: mm_request_receive_expect entering: type 5
    > debug3: mm_request_receive entering
    > debug3: monitor_read: checking request 4
    > debug3: mm_answer_sign
    > debug3: mm_answer_sign: signature 125738(55)
    > debug3: mm_request_send entering: type 5
    > debug2: monitor_read: 4 used once, disabling now
    > debug3: mm_request_receive entering
    > debug2: kex_derive_keys
    > debug2: set_newkeys: mode 1
    > debug1: SSH2_MSG_NEWKEYS sent
    > debug1: expecting SSH2_MSG_NEWKEYS
    > debug2: set_newkeys: mode 0
    > debug1: SSH2_MSG_NEWKEYS received
    > debug1: KEX done
    > debug1: userauth-request for user testuser service ssh-connection
    > method none
    > debug1: attempt 0 failures 0
    > debug3: mm_getpwnamallow entering
    > debug3: mm_request_send entering: type 6
    > debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
    > debug3: mm_request_receive_expect entering: type 7
    > debug3: mm_request_receive entering
    > debug3: monitor_read: checking request 6
    > debug3: mm_answer_pwnamallow
    > debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
    > debug3: mm_request_send entering: type 7
    > debug2: input_userauth_request: setting up authctxt for testuser
    > debug3: mm_start_pam entering
    > debug3: mm_request_send entering: type 45
    > debug3: mm_inform_authserv entering
    > debug3: mm_request_send entering: type 3
    > debug2: input_userauth_request: try method none
    > debug3: mm_auth_password entering
    > debug3: mm_request_send entering: type 10
    > debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
    > debug3: mm_request_receive_expect entering: type 11
    > debug3: mm_request_receive entering
    > debug2: monitor_read: 6 used once, disabling now
    > debug3: mm_request_receive entering
    > debug3: monitor_read: checking request 45
    > debug1: PAM: initializing for "testuser"
    > debug3: Trying to reverse map address xxx.xxx.xxx.xxx.
    > debug1: PAM: setting PAM_RHOST to "xxx.xxx.xxx.xxx"
    > debug1: PAM: setting PAM_TTY to "ssh"
    > debug2: monitor_read: 45 used once, disabling now
    > debug3: mm_request_receive entering
    > debug3: monitor_read: checking request 3
    > debug3: mm_answer_authserv: service=ssh-connection, style=
    > debug2: monitor_read: 3 used once, disabling now
    > debug3: mm_request_receive entering
    > debug3: monitor_read: checking request 10
    > debug3: mm_answer_authpassword: sending result 0
    > debug3: mm_request_send entering: type 11
    > debug3: mm_auth_password: user not authenticated
    > Failed none for testuser from xxx.xxx.xxx.xxx port 29485 ssh2
    > Failed none for testuser from xxx.xxx.xxx.xxx port 29485 ssh2
    > debug3: mm_request_receive entering
    > debug1: userauth-request for user testuser service ssh-connection
    > method password
    > debug1: attempt 1 failures 1
    > debug2: input_userauth_request: try method password
    > debug3: mm_auth_password entering
    > debug3: mm_request_send entering: type 10
    > debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
    > debug3: mm_request_receive_expect entering: type 11
    > debug3: mm_request_receive entering
    > debug3: monitor_read: checking request 10
    > Could not get shadow information for testuser
    > debug3: mm_answer_authpassword: sending result 0
    > debug3: mm_request_send entering: type 11
    > debug3: mm_auth_password: user not authenticated
    > Failed password for testuser from xxx.xxx.xxx.xxx port 29485 ssh2
    > Failed password for testuser from xxx.xxx.xxx.xxx port 29485 ssh2
    > debug3: mm_request_receive entering
    > Received disconnect from xxx.xxx.xxx.xxx: 13: Authentication cancelled
    > by user.
    > debug1: do_cleanup
    > debug1: PAM: cleanup
    > debug3: PAM: sshpam_thread_cleanup entering
    > debug1: do_cleanup
    > debug1: PAM: cleanup
    > debug3: PAM: sshpam_thread_cleanup entering
    >
    > Thanks,
    > Derek
    >
    >
    "This world is a comedy to those who think and a tragedy to those who
    feel."

    
    



  • Next message: Darren Tucker: "Re: OpenSSH and pam_krb5"

    Relevant Pages

    • Re: What doesnt lend itself to OO?
      ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
      (comp.object)
    • Re: More Get-IPlayer Questions
      ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
      (uk.comp.os.linux)
    • This is going straight to the pool room
      ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
      (comp.os.vms)
    • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
      ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
      (Full-Disclosure)
    • Re: What doesnt lend itself to OO?
      ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
      (comp.object)