Re: Confounded by PAM and OpenSSH on Solaris 10



On 2006-04-29, elroy.deng@xxxxxxxxx <elroy.deng@xxxxxxxxx> wrote:
Hi,

If anyone can help me understand OpenSSH and PAM and the various

Which version of OpenSSH? The PAM behaviour has changed
(improved, I hope :-) over time. An overview is in the faq
(http://www.openssh.com/faq.html#3.15) but the details vary with the
version.

[...]
user2 is unable to login and instead of calling pam_sm_chauthtok()
OpenSSH calls passwd().

That happens when you use password authentication and privilege separation
together. When you use password authentication, sshd doesn't have the
ability to interact with the user until very late in the login process
(ie after the pty is allocated) and when privsep is in use, has long
since given up the privilege it would need to call pam_chauthtok (and
have it work, anyway).

Either use ChallengeResponseAuthentication (preferred) or disable
UsePrivilegeSeparation.

user1 gets the 'account has expired' message but it does not close the
connection until three attempts are made!

I think that this no longer happens in 4.3p2.

SSHD CONFIGURATION #3
Protocol 2
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

user1 now prompts 4 times three times for keyboard-interactive and once
for password.
########################################################
[Fri Apr 28|19:24:50][root@unknown:/]
$ ssh -l user1 localhost
Password:
User account has expired!

Password:
User account has expired!

Password:
User account has expired!

user1@localhost's password:
User account has expired!

Are you sure about this one? If PasswordAuthentication is set to no, it
won't even be offered to the client.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.