OpenSSH3.0p1/PAM/Sol8

Dost, Alexander Alexander.Dost at drkw.com
Fri Nov 9 05:35:25 EST 2001 

Here is the output. First one successfull login, after that passwd -f and
new try...

Alex

Nov  8 18:25:29 FFTUST2001 sshd[5618]: [ID 888916 auth.debug] unix
pam_sm_authenticate(sshd f998505), flags = 0  
Nov  8 18:25:29 FFTUST2001 sshd[5618]: [ID 800047 auth.info] Accepted
password for f998505 from 130.21.163.43 port 38296 ssh2 
Nov  8 18:25:35 FFTUST2001 sshd[5618]: [ID 833576 auth.debug] pam_setcred:
error Permission denied 
---
Nov  8 18:26:07 FFTUST2001 sshd[5648]: [ID 888916 auth.debug] unix
pam_sm_authenticate(sshd f998505), flags = 0  
Nov  8 18:26:08 FFTUST2001 sshd[5648]: [ID 308033 auth.debug] pam_acct_mgmt:
error Get new authentication token 
Nov  8 18:26:08 FFTUST2001 sshd[5648]: [ID 800047 auth.info] Accepted
password for f998505 from 130.21.163.43 port 38299 ssh2 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 618257 auth.debug] unix
pam_sm_chauthtok(): prelim check 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 288048 auth.debug]
pam_sm_chauthtok: System password aged 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 651162 auth.debug]
unix_sm_chauthtok(): update passwords 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 801703 auth.debug]
unix_sm_chauthtok: default 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 276273 auth.debug]
unix_sm_chauthtok: uid = 0, euid = 0 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 803388 auth.debug] number of
services is 1 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 240311 auth.debug] unix
pam_sm_chauthtok(): repository: files after get_ns() 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 814557 auth.debug] ck_perm()
called: repository=files 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 555593 auth.debug] PAM:
verify_old_passwd: start: uid = 1590, privileged = 0 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 319219 auth.debug]
verify_old_passwd(): repository is files 
Nov  8 18:26:08 FFTUST2001 sshd[5650]: [ID 485903 auth.debug]
try_first_pass = 0, use_first_pass = 0 
Nov  8 18:26:11 FFTUST2001 sshd[5651]: [ID 862941 auth.debug] turn: maxdate
== -7, mindate == -1 
Nov  8 18:26:11 FFTUST2001 sshd[5650]: [ID 125209 auth.debug] pam_chauthtok:
error Unknown error 
Nov  8 18:26:11 FFTUST2001 sshd[5650]: [ID 800047 auth.crit] fatal: PAM
pam_chauthtok failed[-1]: Unknown error 
Nov  8 18:26:11 FFTUST2001 sshd[5650]: [ID 833576 auth.debug] pam_setcred:
error Permission denied 
Nov  8 18:26:11 FFTUST2001 sshd[5648]: [ID 833576 auth.debug] pam_setcred:
error Permission denied 


> -----Original Message-----
> From:	Ed Phillips [SMTP:ed at UDel.Edu]
> Sent:	Thursday, November 08, 2001 19:17
> To:	Dost, Alexander
> Cc:	openssh-unix-dev at mindrot.org
> Subject:	RE: OpenSSH3.0p1/PAM/Sol8
> 
> Can you try adding the "debug" option to the sshd lines in /etc/pam.conf?
> Also, make sure syslogd is gathering the messages for auth.err, auth.info,
> auth.debug, auth.alert, and auth.crit.  Maybe something will show up in
> the logs to pinpoint where pam_sm_chauthtok() is failing.  It's odd,
> because it should never return -1 - only valid PAM_XXXX error codes (which
> are >= 0), according to "man pam_sm_chauthtok".  Strange...
> 
> 	Ed
> 
> On Thu, 8 Nov 2001, Dost, Alexander wrote:
> 
> > Date: Thu, 8 Nov 2001 18:47:01 +0100
> > From: "Dost, Alexander" <Alexander.Dost at drkw.com>
> > To: 'Ed Phillips' <ed at UDel.Edu>
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: RE: OpenSSH3.0p1/PAM/Sol8
> >
> > Yes, I get the error messages (illegal option shadow/nodelay).
> > I removed the entry and, as you said, they are just ignored, nothing
> > changed.
> > One additional piece of information: If I use NIS+ for password
> > authentication/changing, all works fine.
> >
> > Alex
> >
> > #
> > # /etc/nsswitch.files:
> > #
> > # An example file that could be copied over to /etc/nsswitch.conf; it
> > # does not use any naming service.
> > #
> > # "hosts:" and "services:" in this file are used only if the
> > # /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
> transports.
> >
> > passwd:     files
> > group:      files
> > hosts:      dns files
> > ipnodes:    files
> > networks:   files
> > protocols:  files
> > rpc:        files
> > ethers:     files
> > netmasks:   files
> > bootparams: files
> > publickey:  files
> > # At present there isn't a 'files' backend for netgroup;  the system
> will
> > #   figure it out pretty quickly, and won't use netgroups at all.
> > netgroup:   files
> > automount:  files
> > aliases:    files
> > services:   files
> > sendmailvars:   files
> > printers:	user files
> >
> > auth_attr:  files
> > prof_attr:  files
> > project:    files
> >
> > > -----Original Message-----
> > > From:	Ed Phillips [SMTP:ed at UDel.Edu]
> > > Sent:	Thursday, November 08, 2001 18:34
> > > To:	Dost, Alexander
> > > Cc:	openssh-unix-dev at mindrot.org
> > > Subject:	RE: OpenSSH3.0p1/PAM/Sol8
> > >
> > > On Thu, 8 Nov 2001, Dost, Alexander wrote:
> > >
> > > > Date: Thu, 8 Nov 2001 18:01:52 +0100
> > > > From: "Dost, Alexander" <Alexander.Dost at drkw.com>
> > > > To: 'Ed Phillips' <ed at UDel.Edu>
> > > > Cc: openssh-unix-dev at mindrot.org
> > > > Subject: RE: OpenSSH3.0p1/PAM/Sol8
> > > >
> > > > I imported the example from the contrib directory for generic unix.
> > > > sshd is running as root.
> > > >
> > > > Alex
> > > >
> > > > pam.conf:
> > > > #
> > > > #ident	"@(#)pam.conf	1.16	01/01/24 SMI"
> > > > #
> > > > # Copyright (c) 1996-2000 by Sun Microsystems, Inc.
> > > > # All rights reserved.
> > > > #
> > > > # PAM configuration
> > > > #
> > > > # Authentication management
> > > > #
> > > > login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> > > > login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1
> > > > sshd	auth required	/usr/lib/security/$ISA/pam_unix.so shadow
> > > nodelay
> > >
> > > Not that it matters, but "shadow" and "nodelay" are not arguments that
> are
> > > recognized by pam_unix.so.1 according to "man pam_unix".
> > >
> > > > #
> > > > rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > > > rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> > > > #
> > > > dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> > > > #
> > > > rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > > > other	auth required	/usr/lib/security/$ISA/pam_unix.so.1
> > > > #
> > > > # Account management
> > > > #
> > > > login	account requisite
> > > /usr/lib/security/$ISA/pam_roles.so.1
> > > > login	account	required
> > > /usr/lib/security/$ISA/pam_projects.so.1
> > > > login	account required	/usr/lib/security/$ISA/pam_unix.so.1
> > > > sshd	account required	/usr/lib/security/$ISA/pam_unix.so.1
> > >
> > > Looks fine.
> > >
> > > > #
> > > > dtlogin	account requisite
> > > /usr/lib/security/$ISA/pam_roles.so.1
> > > > dtlogin	account	required
> > > /usr/lib/security/$ISA/pam_projects.so.1
> > > > dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1
> > > > #
> > > > other	account requisite
> > > /usr/lib/security/$ISA/pam_roles.so.1
> > > > other	account	required
> > > /usr/lib/security/$ISA/pam_projects.so.1
> > > > other	account required	/usr/lib/security/$ISA/pam_unix.so.1
> > > > #
> > > > # Session management
> > > > #
> > > > sshd	session	required	/usr/lib/security/$ISA/pam_unix.so.1
> > >
> > > Looks fine.
> > >
> > > > other	session required	/usr/lib/security/$ISA/pam_unix.so.1
> > > > #
> > > > # Password management
> > > > #
> > > > sshd	password required	/usr/lib/security/$ISA/pam_unix.so
> > > shadow
> > > > nullok use_authtok
> > >
> > > Again, these are not supported arguments according to "man pam_unix".
> > > However, they should just be ignored.  You should get syslog messages
> to
> > > auth.err about these options though.  Did you see any?
> > >
> > > > other	password required	/usr/lib/security/$ISA/pam_unix.so.1
> > > > dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
> > > > #
> > > > # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> > >
> > > Hmmmm... what does your /etc/nsswitch.conf file look like?
> > >
> > > 	Ed
> > >
> > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> > > Systems Programmer III, Network and Systems Services
> > > finger -l ed at polycut.nss.udel.edu for PGP public key
> >
> >
> > If you have received this e-mail in error or wish to read our e-mail
> disclaimer statement and monitoring policy, please refer to
> > http://www.drkw.com/disc/email/ or contact the sender.
> >
> 
> Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the openssh-unix-dev mailing list