RE: PAM auth and account with openssh

From: Tay, Gary (Gary_Tay_at_platts.com)
Date: 02/01/05

  • Next message: Bob Rasmussen: "Re: sftp virtual users question"
    Date: Tue, 1 Feb 2005 16:39:55 +0800
    To: "Victor Engle" <vic@summerseas.com>
    
    

    See
    http://docsun.cites.uiuc.edu/sun_docs/C/solaris_9/SUNWaadm/SYSADV5/p62.h
    tml
    The example of pam.conf with Password Management Support.

    -----Original Message-----
    From: Victor Engle [mailto:vic@summerseas.com]
    Sent: Monday, January 31, 2005 9:46 PM
    To: Tay, Gary
    Cc: SSH list
    Subject: Re: PAM auth and account with openssh

    Setting "PasswordAuthentication no" didn't correct the problem. Through
    trial and error I did manage to learn that if I remove the server_policy

    from this line in the pam stack for sshd then the login works with both
    public key and password but fails to give me the "password will expire"
    warning.

    sshd account required pam_unix_account.so.1
    server_policy

    When the sshd line above has the server_policy parameter at the end the
    warning works as expected but public key logins fail. Also when the
    public key login fails I am prompted for a password and that also fails.

    The problem became apparent when I began trying to get password
    expiration and account lockout from our ldap server working. We needed
    to get this to work to satisfy our auditors.

    Thanks,
    Vic

    Tay, Gary wrote:

    >Could you try:
    >
    >#PasswordAuthentication yes
    >PasswordAuthentication no
    >
    >Gary
    >
    >-----Original Message-----
    >From: Victor Engle [mailto:vic@summerseas.com]
    >Sent: Saturday, January 29, 2005 4:22 AM
    >To: Tay, Gary; SSH list
    >Subject: Re: PAM auth and account with openssh
    >
    >
    >Tay, Gary wrote:
    >
    >
    >
    >>If you think there is issue in SSH, you should also post sshd_config
    >>
    >>
    >and ssh_config to the mail list. Look at messages and /var/log/auth.log

    >for extra info also.
    >
    >
    >>
    >>
    >>
    >>
    >
    >
    >
    >Here are the config files...
    >
    >sshd_config
    ># This is the sshd server system-wide configuration file. See #
    >sshd_config(5) for more information.
    >
    ># This sshd was compiled with
    >PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
    >
    ># The strategy used for options in the default sshd_config shipped with

    ># OpenSSH is to specify options with their default value where #
    >possible, but leave them commented. Uncommented options change a #
    >default value.
    >
    >#Port 22
    >#Protocol 2,1
    >#ListenAddress 0.0.0.0
    >#ListenAddress ::
    >
    ># HostKey for protocol version 1
    >#HostKey /usr/local/etc/ssh_host_key
    ># HostKeys for protocol version 2
    >#HostKey /usr/local/etc/ssh_host_rsa_key
    >#HostKey /usr/local/etc/ssh_host_dsa_key
    >
    ># Lifetime and size of ephemeral version 1 server key
    >#KeyRegenerationInterval 1h #ServerKeyBits 768
    >
    ># Logging
    >#obsoletes QuietMode and FascistLogging
    >#SyslogFacility AUTH
    >#LogLevel INFO
    >
    ># Authentication:
    >
    >#LoginGraceTime 2m
    >#PermitRootLogin yes
    >#StrictModes yes
    >#MaxAuthTries 6
    >
    >#RSAAuthentication yes
    >#PubkeyAuthentication yes
    >#AuthorizedKeysFile .ssh/authorized_keys
    >
    ># For this to work you will also need host keys in
    >/usr/local/etc/ssh_known_hosts
    >#RhostsRSAAuthentication no
    ># similar for protocol version 2
    >#HostbasedAuthentication no
    ># Change to yes if you don't trust ~/.ssh/known_hosts for
    ># RhostsRSAAuthentication and HostbasedAuthentication
    >#IgnoreUserKnownHosts no
    ># Don't read the user's ~/.rhosts and ~/.shosts files
    >#IgnoreRhosts yes
    >
    ># To disable tunneled clear text passwords, change to no here!
    >#PasswordAuthentication yes #PermitEmptyPasswords no
    >
    ># Change to no to disable s/key passwords
    >#ChallengeResponseAuthentication yes
    >
    ># Kerberos options
    >#KerberosAuthentication no
    >#KerberosOrLocalPasswd yes
    >#KerberosTicketCleanup yes
    >#KerberosGetAFSToken no
    >
    ># GSSAPI options
    >#GSSAPIAuthentication no
    >#GSSAPICleanupCredentials yes
    >
    ># Set this to 'yes' to enable PAM authentication, account processing, #

    >and session processing. If this is enabled, PAM authentication will #
    >be allowed through the ChallengeResponseAuthentication mechanism. #
    >Depending on your PAM configuration, this may bypass the setting of #
    >PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin
    >without-password". If you just want the PAM account and
    ># session checks to run without PAM authentication, then enable this
    but
    >
    >set
    ># ChallengeResponseAuthentication=no
    >UsePAM yes
    >
    >#AllowTcpForwarding yes
    >#GatewayPorts no
    >#X11Forwarding no
    >#X11DisplayOffset 10
    >#X11UseLocalhost yes
    >#PrintMotd yes
    >#PrintLastLog yes
    >#TCPKeepAlive yes
    >#UseLogin no
    >#UsePrivilegeSeparation yes
    >#PermitUserEnvironment no
    >#Compression yes
    >#ClientAliveInterval 0
    >#ClientAliveCountMax 3
    >#UseDNS yes
    >#PidFile /var/run/sshd.pid
    >#MaxStartups 10
    >
    ># no default banner path
    >#Banner /some/path
    >
    ># override default of no subsystems
    >Subsystem sftp /usr/local/libexec/sftp-server
    >
    >
    >ssh_config
    >
    ># This is the ssh client system-wide configuration file. See #
    >ssh_config(5) for more information. This file provides defaults for #
    >users, and the values can be changed in per-user configuration files #
    >or on the command line.
    >
    ># Configuration data is parsed as follows:
    ># 1. command line options
    ># 2. user-specific file
    ># 3. system-wide file
    ># Any configuration value is only changed the first time it is set. #
    >Thus, host-specific definitions should be at the beginning of the #
    >configuration file, and defaults at the end.
    >
    ># Site-wide defaults for various options
    >
    ># Host *
    ># ForwardAgent no
    ># ForwardX11 no
    ># RhostsRSAAuthentication no
    ># RSAAuthentication yes
    ># PasswordAuthentication yes
    ># HostbasedAuthentication no
    ># BatchMode no
    ># CheckHostIP yes
    ># AddressFamily any
    ># ConnectTimeout 0
    ># StrictHostKeyChecking ask
    ># IdentityFile ~/.ssh/identity
    ># IdentityFile ~/.ssh/id_rsa
    ># IdentityFile ~/.ssh/id_dsa
    ># Port 22
    ># Protocol 2,1
    ># Cipher 3des
    ># Ciphers
    >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
    >c
    >bc
    ># EscapeChar ~
    >
    >
    >
    >> -----Original Message-----
    >> From: Victor Engle [mailto:vic@summerseas.com]
    >> Sent: Fri 1/28/2005 9:27 PM
    >> To: SSH list
    >> Cc:
    >> Subject: PAM auth and account with openssh
    >>
    >>
    >>
    >> Hi,
    >>
    >> I have a Sun LDAP server version 5.2 that I am using as a
    >>
    >>
    >solaris naming
    >
    >
    >> service. Everything is working as expected except for a problem
    >>
    >>
    >with
    >
    >
    >> sshd and pam. With the following entries in pam.conf everything
    >>
    >>
    >works
    >
    >
    >> well except that password expiration from the ldap server is
    >>
    >>
    >ignored.
    >
    >
    >>
    >> sshd auth requisite pam_authtok_get.so.1
    >> sshd auth required pam_dhkeys.so.1
    >> sshd auth sufficient pam_unix_auth.so.1
    >> sshd auth required pam_ldap.so.1 try_first_pass
    >> sshd account required pam_unix_account.so.1
    >>
    >> If I use the following entries in pam.conf everything works
    >>
    >>
    >including
    >
    >
    >> password expiration unless I use a public key for
    >>
    >>
    >authentication. If I
    >
    >
    >> have a public key in place I am unable to log in. I get prompted
    >>
    >>
    >for a
    >
    >
    >> password and that fails. If I remove the public key I am
    >>
    >>
    >prompted for a
    >
    >
    >> password and get successfully authenticated.
    >>
    >> sshd auth requisite pam_authtok_get.so.1
    >> sshd auth required pam_dhkeys.so.1
    >> sshd auth sufficient pam_unix_auth.so.1
    >> sshd auth required pam_ldap.so.1 try_first_pass
    >> sshd account sufficient pam_ldap.so.1
    >> sshd account binding pam_unix_account.so.1
    >>
    >>
    >server_policy
    >
    >
    >>
    >>
    >> Here is the ssh client debug output from trying to login with
    >>
    >>
    >the public
    >
    >
    >> key and the above pam.conf entries.
    >>
    >> [vengle@datamart-->]ssh -v sniper
    >> OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004
    >> debug1: Reading configuration data /usr/local/etc/ssh_config
    >> debug1: Connecting to sniper [66.43.143.232] port 22.
    >> debug1: Connection established.
    >> debug1: identity file /home/vengle/.ssh/identity type -1
    >> debug1: identity file /home/vengle/.ssh/id_rsa type 1
    >> debug1: identity file /home/vengle/.ssh/id_dsa type -1
    >> debug1: Remote protocol version 1.99, remote software version
    >>
    >>
    >OpenSSH_3.9p1
    >
    >
    >> debug1: match: OpenSSH_3.9p1 pat OpenSSH*
    >> debug1: Enabling compatibility mode for protocol 2.0
    >> debug1: Local version string SSH-2.0-OpenSSH_3.9p1
    >> debug1: SSH2_MSG_KEXINIT sent
    >> debug1: SSH2_MSG_KEXINIT received
    >> debug1: kex: server->client aes128-cbc hmac-md5 none
    >> debug1: kex: client->server aes128-cbc hmac-md5 none
    >> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    >> debug1: Host 'sniper' is known and matches the RSA host key.
    >> debug1: Found key in /home/vengle/.ssh/known_hosts:3
    >> debug1: ssh_rsa_verify: signature correct
    >> debug1: SSH2_MSG_NEWKEYS sent
    >> debug1: expecting SSH2_MSG_NEWKEYS
    >> debug1: SSH2_MSG_NEWKEYS received
    >> debug1: SSH2_MSG_SERVICE_REQUEST sent
    >> debug1: SSH2_MSG_SERVICE_ACCEPT received
    >> debug1: Authentications that can continue:
    >> publickey,password,keyboard-interactive
    >> debug1: Next authentication method: publickey
    >> debug1: Trying private key: /home/vengle/.ssh/identity
    >> debug1: read PEM private key done: type RSA
    >> debug1: Authentications that can continue:
    >> publickey,password,keyboard-interactive
    >> debug1: Offering public key: /home/vengle/.ssh/id_rsa
    >> debug1: Server accepts key: pkalg ssh-rsa blen 149
    >> debug1: read PEM private key done: type RSA
    >> debug1: Authentications that can continue:
    >> publickey,password,keyboard-interactive
    >> debug1: Trying private key: /home/vengle/.ssh/id_dsa
    >> debug1: Next authentication method: keyboard-interactive
    >> Password:
    >>
    >>
    >> The server accepts the key but continues to try to authenticate
    >>
    >>
    >me. Any
    >
    >
    >> help or direction would be greatly appreciated.
    >>
    >> Thanks,
    >> Vic Engle
    >>
    >>
    >>
    >>
    >>
    >>


  • Next message: Bob Rasmussen: "Re: sftp virtual users question"

    Relevant Pages

    • RE: PAM auth and account with openssh
      ... PasswordAuthentication no ... PAM auth and account with openssh ... # This is the sshd server system-wide configuration file. ... # Kerberos options ...
      (SSH)
    • Re: Unable to set DISPLAY localhost:0.0 / Solved
      ... [root@localhost root]# date ... # This is the ssh client system-wide configuration file. ... # Kerberos TGT Passing only works with the AFS kaserver ...
      (Fedora)
    • Connecting to strong-named DLL outside of appbase
      ... I thought once I got the public key from the ... Using machine configuration file from ... CodeBase: ... DBAuthTest ...
      (microsoft.public.dotnet.framework)
    • Re: ssh2 hostbased auth fails
      ... Actually the ssh client works fine,the problem is the scp and sftp client. ... Here is my configuration file. ... # To disable tunneled clear text passwords, ... # Kerberos TGT Passing does only work with the AFS kaserver ...
      (SSH)
    • Re: ssh without password does not work
      ... > ssh without password inside this network. ... > # This is the sshd server system-wide configuration file. ... > # RhostsRSAAuthentication and HostbasedAuthentication ... > # Kerberos TGT Passing only works with the AFS kaserver ...
      (comp.security.ssh)