Re: PAM/AFS authentication prob. w/ SSH3.01 Sol8

From: Chris Hagmann (chris@chagmann.com)
Date: 12/13/01 

From: chris@chagmann.com (Chris Hagmann)
Date: 13 Dec 2001 14:02:19 -0800

I run into the same problem and I figured it is a patch from Sun which
causes this problem. The patch id is 111659-03. If you take an old
/usr/lib/security/pam_unix.so.1 then it should work again. (If you run
64-Bit Solaris, then I'd also take the
/usr/lib/security/sparcv9/pam_unix.so.1 to have a consistent image).

Patch 111659-03 was supposed to resolve some segmentation faults
caused when calling pam_open_session() if PAM_RHOST or PAM_TTY ==
NULL. But I couldn't find any further information about that bug, so I
don't really know what the original issue. The only thing I understand
is that SSH supposedly allocates the tty, so there might be a
dependency, but the big question is whether the issue is in SSH's code
(I used SSH 3.0.1 and 3.1, both same behaviour) or in Sun's
pam_unix.so.1.

I'm going to log a bug with SSH Communications.

Cheers,
Chris

Joe Glass <joe@glass.cl.msu.edu> wrote in message news:<3C07EF57.47FD4522@glass.cl.msu.edu>...
> Hi, I'm having trouble making PAM/AFS authentication work on Sparc
> Solaris 8. Here is the error message I am getting:
>
> Nov 30 14:48:56 mybox.edu sshd2[500]: [ID 702911 auth.error] auths-pam:
> ssh-pam-client returned packet SSH_PAM_OP_ERROR. (err_num: 9, err_msg:
> Authentication failed)
>
> I followed the instructions on ssh.com's web page. afs authentication
> currently works for rlogin or telnet. I only get the above error
> message when
> trying to ssh in and use an AFS account, ssh will authenticate fine to a
> regular Unix account. Can anyone help me out?
>
> Thanks in advance.
>
> Here are my config files (snipped):
>
> /etc/ssh2/sshd2_config
> AllowedAuthentications publickey,password,pam-1@ssh.com
> SshPAMClientPath ssh-pam-client
>
> /etc/ssh2/ssh2_config
> AllowedAuthentications publickey,password,pam-1@ssh.com
>
> /etc/pam.conf (full)
>
> login auth optional /usr/lib/security/$ISA/pam_unix.so.1
> login auth optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
> login auth optional /usr/lib/security/$ISA/pam_dial_auth.so.1
> #
> rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> rlogin auth optional /usr/lib/security/$ISA/pam_unix.so.1
> rlogin auth optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
> #
> dtlogin auth optional /usr/lib/security/$ISA/pam_unix.so.1
> dtlogin auth optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
> #
> telnet auth optional /usr/lib/security/$ISA/pam_unix.so.1
> telnet auth optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
> #
> rsh auth optional /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> rsh auth optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root
> other auth optional /usr/lib/security/$ISA/pam_unix.so.1
> other auth optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
> #
>
> # the following are needed for uwashington's imap and pop3 servers ...
> imap auth required /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
> #
> pop auth required /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
>
> #
> # Account management
> #
> login account requisite /usr/lib/security/$ISA/pam_roles.so.1
> login account required /usr/lib/security/$ISA/pam_projects.so.1
> login account optional /usr/lib/security/$ISA/pam_unix.so.1
> login account optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root
> dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
> dtlogin account required /usr/lib/security/$ISA/pam_projects.so.1
> dtlogin account optional /usr/lib/security/$ISA/pam_unix.so.1
> dtlogin account optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root
> #
> other account requisite /usr/lib/security/$ISA/pam_roles.so.1
> other account required /usr/lib/security/$ISA/pam_projects.so.1
> other account optional /usr/lib/security/$ISA/pam_unix.so.1
> other account optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root
> #
> rsh auth optional /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> rsh auth optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root
> other auth optional /usr/lib/security/$ISA/pam_unix.so.1
> other auth optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
> #
>
> # the following are needed for uwashington's imap and pop3 servers ...
> imap auth required /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
> #
> pop auth required /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root setenv_password_expires
>
> #
> # Account management
> #
> login account requisite /usr/lib/security/$ISA/pam_roles.so.1
> login account required /usr/lib/security/$ISA/pam_projects.so.1
> login account optional /usr/lib/security/$ISA/pam_unix.so.1
> login account optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root
> dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
> dtlogin account required /usr/lib/security/$ISA/pam_projects.so.1
> dtlogin account optional /usr/lib/security/$ISA/pam_unix.so.1
> dtlogin account optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root
> #
> other account requisite /usr/lib/security/$ISA/pam_roles.so.1
> other account required /usr/lib/security/$ISA/pam_projects.so.1
> other account optional /usr/lib/security/$ISA/pam_unix.so.1
> other account optional /usr/lib/security/$ISA/pam_afs.so.1
> try_first_pass ignore_root
> #
> # Session management
> #
> other session optional /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Password management
> #
> other password optional /usr/lib/security/$ISA/pam_unix.so.1
> #dtsession auth required
> /usr/lib/security/$ISA/pam_unix.so.1
> #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_pass
> #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_pass
> #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_pass
> #dtlogin account optional
> /usr/lib/security/$ISA/pam_krb5.so.1
> #other account optional /usr/lib/security/$ISA/pam_krb5.so.1
> #other session optional /usr/lib/security/$ISA/pam_krb5.so.1
> #other password optional
> /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
> sshd2 auth required /usr/lib/security/pam_unix.so debug
> sshd2 account required /usr/lib/security/pam_unix.so debug
> sshd2 password required /usr/lib/security/pam_unix.so debug
> sshd2 session required /usr/lib/security/pam_unix.so debug

Relevant Pages

  • Re: AIXs LDAP with PAM and Expired password
    ... > already made ssh does not display message like what telnet displays ... > And also same in the case of expired password, ssh does not pass on pam ... How that works depends on the SSH authentication method. ... It looks like the patch didn't apply. ...
    (comp.security.ssh)
  • *Warning* long post - OpenSSH patch to allow requiring *both* public key and password auth
    ... I am submitting this patch to both the OpenBSD tech mailing list and the ... authentication is done twice, both ... retrieving revision 1.5 ... diff -u -d -r1.63 monitor.c ...
    (SSH)
  • Re: sshd handing all authentication to shell
    ... >I would like to use SSH for transport only into an embedded device. ... >login/password authentication but since it is using SSH for transport, ... You don't state what SSH server you're planning to use, ... I believe that in principle a client should be able to request ...
    (comp.security.ssh)
  • Re: ssh
    ... ssh can use DSA or RSA keys for authentication. ... public key can decrypt. ... is significantly smaller than that for ssh RSA/DSA keypairs. ... host to capture the key (either an unprotected key or a capture of your ...
    (Vuln-Dev)
  • SSH 2.4.0/3.0.1 usernames guessable ?
    ... As we were playing a bit with some SSH versions we ... warning: Authentication failed. ... scp: warning: ssh2 client failed to authenticate. ...
    (Vuln-Dev)