problem with ssh and pam

From: Jim Judd (jimj_at_netrake.com)
Date: 08/11/05

  • Next message: Nathan Jackson: "Re: question about OpenSSH in cygwin" 
    Date: Thu, 11 Aug 2005 09:38:52 -0500
To: <secureshell@securityfocus.com>

    Hello,
    I have configured openssh on a machine running Gentoo to use PAM. Everything seems to be working ok, except for the number of challenge response that are received when a user tries to log on. They get one attempt and the connection is terminated instead of the 3 attempts if usePAM=no. I have tried a few things in the PAM, ssh, and system-auth files but no luck. Does anyone know if it is even possible to set the number of password challenges while using PAM with ssh?

    Here is what I have so far;

    kernel 2.6.8
    sshd OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
    Not sure how to tell what version of pam is on the box, 0.77 I guess since there is a libpam.so.0.77 on the box.
    distro is Gentoo

    sshd_config

    # $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $P/

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.

    #Port 22
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes

    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    #PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication no

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCreds yes

    # Set this to 'yes' to enable PAM authentication (via challenge-response)
    # and session processing. Depending on your PAM configuration, this may
    # bypass the setting of 'PasswordAuthentication'
    UsePAM yes

    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #KeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression yes
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10

    # no default banner path
    #Banner /some/path

    # override default of no subsystems
    Subsystem sftp /usr/lib/misc/sftp-server

    /etc/pam.d/sshd

    #%PAM-1.0

    auth required pam_stack.so service=system-auth
    auth required pam_shells.so
    auth required pam_nologin.so
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth

    /etc/pam.d/system-auth

    #%PAM-1.0

    auth required /lib/security/pam_env.so
    auth sufficient /lib/security/pam_unix.so likeauth nullok
    auth required /lib/security/pam_deny.so

    account required /lib/security/pam_unix.so

    password required /lib/security/pam_cracklib.so retry=3
    password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
    password required /lib/security/pam_deny.so

    session required /lib/security/pam_limits.so
    session required /lib/security/pam_unix.so

    Thanks in advance...

  • Next message: Nathan Jackson: "Re: question about OpenSSH in cygwin"

    Relevant Pages

    • pam-krb5 3.11 released
      ... I'm pleased to announce release 3.11 of pam-krb5. ... pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. ... Kerberos libraries disable that code. ...
      (comp.protocols.kerberos)
    • Re: pam-krb5 3.5 released
      ... I tried to use your module on OpenSolaris and Solaris10 (with the standard ... BTW Why does Sun put so much energy into having Kerberos integrated into the ... pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. ...
      (comp.protocols.kerberos)
    • Re: Able to login with any password
      ... it was a PAM misconfiguration. ... PasswordAuthentication yes ... GSSAPIAuthentication yes ... # "PermitRootLogin without-password". ...
      (SSH)
    • pam-krb5 3.14 released
      ... pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. ... Fix error handling if ticket cache initialization fails. ...
      (comp.protocols.kerberos)
    • pam-krb5 3.13 released
      ... security update. ... pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. ... Debian packages have been uploaded to Debian experimental. ...
      (comp.protocols.kerberos)