Re: OpenSSH and pam_radius_auth.so
- From: per@xxxxxxxxxxxx (Per Hedeland)
- Date: Fri, 12 Jan 2007 22:05:23 +0000 (UTC)
In article <1168613239.137410.216370@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> "Dave
Isaacs" <dave.isaacs@xxxxxxxxx> writes:
Per Hedeland wrote:
http://groups.google.com/group/comp.security.ssh/msg/a48e9cf45949a6f1
How odd. I did look and found nothing. Thanks for the link.
Googlegroups seems to have problems lately - it couldn't find that
article based on Message-ID (the lookup method I typically use), and in
another group in a similar situation, it couldn't find either my article
or the one I had replied to, based on Message-ID *or* Subject line or
anything else - and yet the article I had replied to was actually
*posted* via Google. Though I don't know if the problems affect the
"normal" read/post interfaces, I only ever use the search/lookup stuff.
In my sshd_config file I explicitly set
PasswordAuthentication no
This made all ssh attempts fail immediately with the message
Permission denied (publickey,keyboard-interactive).
So I re-commented out the PassworkAuthentication setting (it must
default to yes), and then tried
ssh -o PreferredAuthentications=keyboard-interactive
tucker@localhost
This also failed immediately, with the message
Permission denied (publickey,password,keyboard-interactive).
As for ssh clients, in my above attempts I used the ssh client on the
machine (and just specify localhost as the hostname). The version as
reported by 'ssh -v' is "OpenSSH_3.6.1p2, SSH protocols 1.5/2.0,
OpenSSL 0x0090701f"
I also tried PuTTY 0.57 and ssh version 4.3p2 from my Ubuntu desktop.
The results do not appear to differ between clients.
It seems to me that your server is offering keyboard-interactive, but
immediately rejects any attempt to use it. In your sshd_config, you had
a commented-out 'ChallengeResponseAuthentication yes' - this would imply
that it's on by default, and it certainly is in current versions, but as
a "just in case" you could try uncommenting it. Though if it was really
set to 'no', sshd shouldn't offer keyboard-interactive at all.
It would of course also be prudent to run sshd with debugging on, to see
if that provides some clues as to why the keyboard-interactive attempts
get rejected. But if it's something other than an obvious
misconfiguration (and I rather doubt that at this point), it won't
really help since no-one will be interested in hunting for bugs in that
old version (well, maybe RH if you have a support contract).
If it still doesn't work, I'd definitely suggest trying a current
version of sshd. You don't have to replace the one you already have,
just download the source tarball from openssh.org and build it - then
you can run it with a different config file on a different port for
testing.
FWIW, I've had great success with pam_radius_auth (somewhat modified,
but not relevant to sshd) and multi-challenge using a more recent
OpenSSH version than yours (don't remember which exactly, but it was a
3.x), on an older Linux (at least I believe RH 7.3 is older than EL 3,
if not it's about the same era).
--Per Hedeland
per@xxxxxxxxxxxx
.
- Follow-Ups:
- Re: OpenSSH and pam_radius_auth.so
- From: Dave Isaacs
- Re: OpenSSH and pam_radius_auth.so
- References:
- OpenSSH and pam_radius_auth.so
- From: Dave Isaacs
- Re: OpenSSH and pam_radius_auth.so
- From: Dave Isaacs
- Re: OpenSSH and pam_radius_auth.so
- From: Per Hedeland
- Re: OpenSSH and pam_radius_auth.so
- From: Dave Isaacs
- OpenSSH and pam_radius_auth.so
- Prev by Date: Re: OpenSSH and pam_radius_auth.so
- Next by Date: Re: OpenSSH and pam_radius_auth.so
- Previous by thread: Re: OpenSSH and pam_radius_auth.so
- Next by thread: Re: OpenSSH and pam_radius_auth.so
- Index(es):
Relevant Pages
|
|
