[Bug 738] OpenSSH 3.7.1p2 Password Authentication Failure Through NIS+ on Non-Master Server
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Oct 9 05:40:34 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=738
Summary: OpenSSH 3.7.1p2 Password Authentication Failure Through
NIS+ on Non-Master Server
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: bugtraq at mzserver.com
I have openssh-3.7.1p2 with openssl-0.9.6k installed on Solaris 8. Here is
what I've been able to determine so far:
1. Local account authentication works fine (non-NIS+).
1a. NIS+ is running at security level 2
2. Telnet authentication works fine.
2a. When I use the SSH client, from another UNIX machine, it works fine --
only windows SSH clients (I've tried SecureCRT and SSH.com's SSH client) have
problems connecting. 3. nscd is not running (I stopped it for now, but I don't
think it matters) 3a. PAM is enabled in my sshd_config (see below)
4. When I log in via telnet (for example), it works; and then I try
that same ID that wouldn't work originally via SSH, it then works!
5. When I log in to master server via SSH it works fine (it only doesn't work
when I try to log into client servers). 6. When I try keyboard interactive
authentication (instead of Password), it works, but it asks me TWICE for the
login info (the first time fails, the second time succeeds).
TO SUMMARIZE: I have problems WHEN: I log in via SSH to the non-master NIS+
server with a non-local account (NIS+ account) with a Windows client
via 'Password' authentication. I'd love to see someone figure THIS ONE out...
HELPFUL INFO ON POSSIBLY WHY THIS IS HAPPENING
-------------------------------------------------------------------------------
-----
Your Windows clients are using password authentication. That doesn't work with
ssh 3.7.1p2 on Solaris because the sshd has to be able to read the encrypted
password out of NIS+. But if you run NIS+ at security level 2 the user needs
to authenticate to NIS+ first via an explicit or implicit keylogin in order
to be able to read his/her own encrypted password. Other users are not able
to read it and that includes the root user on NIS+ clients. One exception is
the root user (or machine principal) of the NIS+ master, that's why it works
there. If you succeed to login via telnet then the telnetd does a keylogin
and then stores your key with the keyserver, that's why subsequent ssh logins
work until you reboot the machine (or restart the keyserver).
You should use PAM authentication via keyboard-interactive with your Windows
clients. I don't know anything about the 2 clients you tried but I know that
Putty works with protocol version 2 and keyboard-interactive (tried it
myself).
-------------------------------------------------------------------------------
-----
Here's my ./configure for openssh:
----------------------------------------------------------------------
configured by ./configure, generated by GNU Autoconf 2.52,
with options \"--prefix=/usr/openssh --with-pam --without-rsh
--with-pid-dir=/var/run --with-md5-passwords
--with-ssl-dir=/usr/local/ssl
--with-mantype=man\"
----------------------------------------------------------------------
Here is my sshd.conf file:
----------------------------------------------------------------------
Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
HostKey /usr/openssh/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/openssh/etc/ssh_host_rsa_key
HostKey /usr/openssh/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in
/usr/openssh/etc/ssh_known_hosts #RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes
# Set this to 'yes' to enable PAM authentication (via
challenge-response)
# and session processing. Depending on your PAM configuration, this
may
# bypass the setting of 'PasswordAuthentication'
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
#PrintLastLog yes
KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/openssh/libexec/sftp-server
----------------------------------------------------------------------
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list