RE: PAM auth and account with openssh

From: Tay, Gary (Gary_Tay_at_platts.com)
Date: 01/31/05

  • Next message: Victor Engle: "Re: PAM auth and account with openssh"
    Date: Mon, 31 Jan 2005 12:24:37 +0800
    To: "Victor Engle" <vic@summerseas.com>, "SSH list" <secureshell@securityfocus.com>
    
    

    Could you try:

    #PasswordAuthentication yes
    PasswordAuthentication no

    Gary

    -----Original Message-----
    From: Victor Engle [mailto:vic@summerseas.com]
    Sent: Saturday, January 29, 2005 4:22 AM
    To: Tay, Gary; SSH list
    Subject: Re: PAM auth and account with openssh

    Tay, Gary wrote:

    >If you think there is issue in SSH, you should also post sshd_config
    and ssh_config to the mail list. Look at messages and /var/log/auth.log
    for extra info also.
    >
    >

    Here are the config files...

    sshd_config
    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with
    PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.

    #Port 22
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # HostKey for protocol version 1
    #HostKey /usr/local/etc/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /usr/local/etc/ssh_host_rsa_key
    #HostKey /usr/local/etc/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6

    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in
    /usr/local/etc/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication mechanism.
    # Depending on your PAM configuration, this may bypass the setting of
    # PasswordAuthentication, PermitEmptyPasswords, and
    # "PermitRootLogin without-password". If you just want the PAM account
    and
    # session checks to run without PAM authentication, then enable this but

    set
    # ChallengeResponseAuthentication=no
    UsePAM yes

    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression yes
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10

    # no default banner path
    #Banner /some/path

    # override default of no subsystems
    Subsystem sftp /usr/local/libexec/sftp-server

    ssh_config

    # This is the ssh client system-wide configuration file. See
    # ssh_config(5) for more information. This file provides defaults for
    # users, and the values can be changed in per-user configuration files
    # or on the command line.

    # Configuration data is parsed as follows:
    # 1. command line options
    # 2. user-specific file
    # 3. system-wide file
    # Any configuration value is only changed the first time it is set.
    # Thus, host-specific definitions should be at the beginning of the
    # configuration file, and defaults at the end.

    # Site-wide defaults for various options

    # Host *
    # ForwardAgent no
    # ForwardX11 no
    # RhostsRSAAuthentication no
    # RSAAuthentication yes
    # PasswordAuthentication yes
    # HostbasedAuthentication no
    # BatchMode no
    # CheckHostIP yes
    # AddressFamily any
    # ConnectTimeout 0
    # StrictHostKeyChecking ask
    # IdentityFile ~/.ssh/identity
    # IdentityFile ~/.ssh/id_rsa
    # IdentityFile ~/.ssh/id_dsa
    # Port 22
    # Protocol 2,1
    # Cipher 3des
    # Ciphers
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
    bc
    # EscapeChar ~

    > -----Original Message-----
    > From: Victor Engle [mailto:vic@summerseas.com]
    > Sent: Fri 1/28/2005 9:27 PM
    > To: SSH list
    > Cc:
    > Subject: PAM auth and account with openssh
    >
    >
    >
    > Hi,
    >
    > I have a Sun LDAP server version 5.2 that I am using as a
    solaris naming
    > service. Everything is working as expected except for a problem
    with
    > sshd and pam. With the following entries in pam.conf everything
    works
    > well except that password expiration from the ldap server is
    ignored.
    >
    > sshd auth requisite pam_authtok_get.so.1
    > sshd auth required pam_dhkeys.so.1
    > sshd auth sufficient pam_unix_auth.so.1
    > sshd auth required pam_ldap.so.1 try_first_pass
    > sshd account required pam_unix_account.so.1
    >
    > If I use the following entries in pam.conf everything works
    including
    > password expiration unless I use a public key for
    authentication. If I
    > have a public key in place I am unable to log in. I get prompted
    for a
    > password and that fails. If I remove the public key I am
    prompted for a
    > password and get successfully authenticated.
    >
    > sshd auth requisite pam_authtok_get.so.1
    > sshd auth required pam_dhkeys.so.1
    > sshd auth sufficient pam_unix_auth.so.1
    > sshd auth required pam_ldap.so.1 try_first_pass
    > sshd account sufficient pam_ldap.so.1
    > sshd account binding pam_unix_account.so.1
    server_policy
    >
    >
    > Here is the ssh client debug output from trying to login with
    the public
    > key and the above pam.conf entries.
    >
    > [vengle@datamart-->]ssh -v sniper
    > OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004
    > debug1: Reading configuration data /usr/local/etc/ssh_config
    > debug1: Connecting to sniper [66.43.143.232] port 22.
    > debug1: Connection established.
    > debug1: identity file /home/vengle/.ssh/identity type -1
    > debug1: identity file /home/vengle/.ssh/id_rsa type 1
    > debug1: identity file /home/vengle/.ssh/id_dsa type -1
    > debug1: Remote protocol version 1.99, remote software version
    OpenSSH_3.9p1
    > debug1: match: OpenSSH_3.9p1 pat OpenSSH*
    > debug1: Enabling compatibility mode for protocol 2.0
    > debug1: Local version string SSH-2.0-OpenSSH_3.9p1
    > debug1: SSH2_MSG_KEXINIT sent
    > debug1: SSH2_MSG_KEXINIT received
    > debug1: kex: server->client aes128-cbc hmac-md5 none
    > debug1: kex: client->server aes128-cbc hmac-md5 none
    > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    > debug1: Host 'sniper' is known and matches the RSA host key.
    > debug1: Found key in /home/vengle/.ssh/known_hosts:3
    > debug1: ssh_rsa_verify: signature correct
    > debug1: SSH2_MSG_NEWKEYS sent
    > debug1: expecting SSH2_MSG_NEWKEYS
    > debug1: SSH2_MSG_NEWKEYS received
    > debug1: SSH2_MSG_SERVICE_REQUEST sent
    > debug1: SSH2_MSG_SERVICE_ACCEPT received
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug1: Next authentication method: publickey
    > debug1: Trying private key: /home/vengle/.ssh/identity
    > debug1: read PEM private key done: type RSA
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug1: Offering public key: /home/vengle/.ssh/id_rsa
    > debug1: Server accepts key: pkalg ssh-rsa blen 149
    > debug1: read PEM private key done: type RSA
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug1: Trying private key: /home/vengle/.ssh/id_dsa
    > debug1: Next authentication method: keyboard-interactive
    > Password:
    >
    >
    > The server accepts the key but continues to try to authenticate
    me. Any
    > help or direction would be greatly appreciated.
    >
    > Thanks,
    > Vic Engle
    >
    >
    >
    >


  • Next message: Victor Engle: "Re: PAM auth and account with openssh"

    Relevant Pages

    • Re: Unable to set DISPLAY localhost:0.0 / Solved
      ... [root@localhost root]# date ... # This is the ssh client system-wide configuration file. ... # Kerberos TGT Passing only works with the AFS kaserver ...
      (Fedora)
    • RE: PAM auth and account with openssh
      ... PAM auth and account with openssh ... warning works as expected but public key logins fail. ... ># This is the sshd server system-wide configuration file. ... ># Kerberos options ...
      (SSH)
    • ssh without password does not work
      ... ssh without password inside this network. ... # This is the sshd server system-wide configuration file. ... # Kerberos TGT Passing only works with the AFS kaserver ... 'PasswordAuthentication' ...
      (comp.security.ssh)
    • RE: SSH Access Issues
      ... # This is the ssh client system-wide configuration file. ... # Kerberos TGT Passing only works with the AFS kaserver ...
      (Fedora)
    • Re: PAM auth and account with openssh
      ... # This is the sshd server system-wide configuration file. ... # Kerberos options ... If this is enabled, PAM authentication will ...
      (SSH)