[Bug 2622] New: PAM stack sometimes will not run during auth and this causes auths to fail

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Oct 8 01:58:53 AEDT 2016


            Bug ID: 2622
           Summary: PAM stack sometimes will not run during auth and this
                    causes auths to fail
           Product: Portable OpenSSH
           Version: 4.3p2
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: desaiar at umich.edu

Created attachment 2877
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2877&action=edit
Config Files and Debug Logs

I am running Centos 5 OpenSSH 4.3p2-82.0.2
This patch for the portable version has caused a bug where my PAM stack
is sometimes not being run. Attempting to connect about 70% of the time
will give me a failure, but occasionally I will see the password prompt
from pam_unix and be allowed to auth successfully.

Upgrading and downgrading between 4.3p2-82.0.1 and 4.3p2-82.0.2 has
shown me that the issue is connected to this patch in some way. In
4.3p2-82.0.1 I always get directed to perform PAM authentication and
can auth. I've attached the two new patch files for this version to
help debugging. Since I'm using challenge response authentication I
believe it is more related to the keyboard-interactive patch.

I've also included my sshd_config file. I believe the interesting
callouts are:
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

I have included the relevant PAM stack files as well.

For debugging I've attached part of the client logs with -vvv and part
of the server logs with -ddd.

The logs seem to suggest that it knows to run the PAM stack but then
somewhere the connection does not succeed. 

Please let me know if there is anything else I can do to help
troubleshoot this issue.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list