[Bug 738] OpenSSH 3.7.1p2 Password Authentication Failure Through NIS+ on Non-Master Server

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Oct 9 05:40:34 EST 2003 

http://bugzilla.mindrot.org/show_bug.cgi?id=738

           Summary: OpenSSH 3.7.1p2 Password Authentication Failure Through
                    NIS+ on Non-Master Server
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: bugtraq at mzserver.com


I have openssh-3.7.1p2 with openssl-0.9.6k installed on Solaris 8.  Here is 
what I've been able to determine so far: 

1. Local account authentication works fine (non-NIS+).
1a. NIS+ is running at security level 2 
2. Telnet authentication works fine. 
2a. When I use the SSH client, from another UNIX machine, it works fine -- 
only windows SSH clients (I've tried SecureCRT and SSH.com's SSH client) have 
problems connecting. 3. nscd is not running (I stopped it for now, but I don't 
think it matters) 3a. PAM is enabled in my sshd_config (see below)
4. When I log in via telnet (for example), it works; and then I try
that same ID that wouldn't work originally via SSH, it then works!
5. When I log in to master server via SSH it works fine (it only doesn't work 
when I try to log into client servers). 6. When I try keyboard interactive 
authentication (instead of Password), it works, but it asks me TWICE for the 
login info (the first time fails, the second time succeeds).

TO SUMMARIZE: I have problems WHEN: I log in via SSH to the non-master NIS+ 
server with a non-local account (NIS+ account) with a Windows client 
via 'Password' authentication.  I'd love to see someone figure THIS ONE out... 

HELPFUL INFO ON POSSIBLY WHY THIS IS HAPPENING
-------------------------------------------------------------------------------
-----
Your Windows clients are using password authentication. That doesn't work with 
ssh 3.7.1p2 on Solaris because the sshd has to be able to read the encrypted 
password out of NIS+. But if you run NIS+ at security level 2 the user needs 
to authenticate to NIS+ first via an explicit or implicit keylogin in order 
to be able to read his/her own encrypted password. Other users are not able 
to read it and that includes the root user on NIS+ clients. One exception is 
the root user (or machine principal) of the NIS+ master, that's why it works 
there. If you succeed to login via telnet then the telnetd does a keylogin 
and then stores your key with the keyserver, that's why subsequent ssh logins 
work until you reboot the machine (or restart the keyserver). 

You should use PAM authentication via keyboard-interactive with your Windows 
clients. I don't know anything about the 2 clients you tried but I know that 
Putty works with protocol version 2 and keyboard-interactive (tried it 
myself). 
-------------------------------------------------------------------------------
-----

Here's my ./configure for openssh:

----------------------------------------------------------------------

configured by ./configure, generated by GNU Autoconf 2.52, 
  with options \"--prefix=/usr/openssh --with-pam --without-rsh
--with-pid-dir=/var/run --with-md5-passwords
--with-ssl-dir=/usr/local/ssl 
--with-mantype=man\"
----------------------------------------------------------------------


Here is my sshd.conf file:

----------------------------------------------------------------------

Port 22
Protocol 2 
#ListenAddress 0.0.0.0 
#ListenAddress :: 

# HostKey for protocol version 1
HostKey /usr/openssh/etc/ssh_host_key 
# HostKeys for protocol version 2 
HostKey /usr/openssh/etc/ssh_host_rsa_key 
HostKey /usr/openssh/etc/ssh_host_dsa_key 

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h 
ServerKeyBits 768 

# Logging
#obsoletes QuietMode and FascistLogging 
SyslogFacility AUTH 
LogLevel INFO 

# Authentication:

LoginGraceTime 2m
PermitRootLogin no 
#StrictModes yes 

#RSAAuthentication yes
#PubkeyAuthentication yes 
#AuthorizedKeysFile     .ssh/authorized_keys 

# For this to work you will also need host keys in
/usr/openssh/etc/ssh_known_hosts #RhostsRSAAuthentication no 
# similar for protocol version 2 
#HostbasedAuthentication no 
# Change to yes if you don't trust ~/.ssh/known_hosts for 
# RhostsRSAAuthentication and HostbasedAuthentication 
#IgnoreUserKnownHosts no 
# Don't read the user's ~/.rhosts and ~/.shosts files 
IgnoreRhosts yes 

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes 
#PermitEmptyPasswords no 

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes 

# Kerberos options
#KerberosAuthentication no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes 

# GSSAPI options
#GSSAPIAuthentication no 
#GSSAPICleanupCreds yes 

# Set this to 'yes' to enable PAM authentication (via
challenge-response) 
# and session processing. Depending on your PAM configuration, this
may 
# bypass the setting of 'PasswordAuthentication'
UsePAM yes 

#AllowTcpForwarding yes
#GatewayPorts no 
X11Forwarding yes 
#X11DisplayOffset 10 
#X11UseLocalhost yes 
PrintMotd yes 
#PrintLastLog yes 
KeepAlive yes 
#UseLogin no 
UsePrivilegeSeparation yes 
#PermitUserEnvironment no 
#Compression yes 
#ClientAliveInterval 0 
#ClientAliveCountMax 3 
#UseDNS yes 
PidFile /var/run/sshd.pid 
#MaxStartups 10 
# no default banner path 
#Banner /some/path 
# override default of no subsystems 
Subsystem       sftp    /usr/openssh/libexec/sftp-server 
----------------------------------------------------------------------



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list