Password-Authentication with openssh-3.1p1 fails

Mon Mar 11 22:50:52 EST 2002

Hallo out there,

I've got a strange problem after updating my openssh-installation 
from 2.9.9p2 (SuSE-package) to openssh-3.1p1 (Installation from the 
source with a modified src.rpm). I will give you as much information 
as possible and I hope there is anybody who can help me. I asked in 
detail in usenet-groups but nobody had any idea to fix my problem by 
configuration.

My system is a SuSE-Linux 7.2:
	-kernel 2.4.16-4GB (original SuSE-7.2-package)
	-pam 0.75 (SuSE-7.3-package after rebuilding)
	-previous openssh-version: 2.9.9p2 (original SuSE-7.2-package)

On this system I could work with openssh as expected: authentication
works with pubkey- and password-authentication (other
authentication-methods were not allowed). After updating my
openssh-package to the current version pubkey-authentication still 
works but password-authentication fails in every case.

I compiled openssh-3.1p1 as follows (options included in the 
src.rpm):

./configure \
        --mandir=%{_mandir} \
        --prefix=%{prefix} \
        --infodir=%{_infodir} \
        --sysconfdir=/etc/ssh \
        --libexecdir=%{prefix}/lib/ssh \
        --with-tcp-wrappers \
        --with-pam
make

Software- and package-building works fine.

After installation I can connect to localhost via pubkey-
authentication (server running in debug-mode):

	andreas at home:~ > ssh localhost
	Enter passphrase for key '/home/andreas/.ssh/id_rsa':
	Last login: Sat Mar  9 19:48:41 2002 from console
	Have a lot of fun...
	debug1: PAM establishing creds
	Environment:
	  USER=andreas
	  LOGNAME=andreas
	  HOME=/home/andreas
	  PATH=/usr/bin:/bin:/usr/sbin:/sbin
	  MAIL=/var/mail/andreas
	  SHELL=/bin/bash
	  SSH_CLIENT=127.0.0.1 1046 22
	  SSH_TTY=/dev/pts/4
	  TERM=xterm
	andreas at home:~ >

When I disable my authorized_keys-files I would expect
password-authentication -  which takes place, but I've got no 
connection even if I type my correct password (you can be sure that 
the password used is correct):

	andreas at home:~ > mv ./.ssh/authorized_keys2 \
		./.ssh/authorized_keys2.orig
	andreas at home:~ > ssh localhost
	andreas at localhost's password:
	Permission denied, please try again.
	andreas at localhost's password:
	Permission denied, please try again.
	andreas at localhost's password:
	Permission denied (publickey,password,keyboard-interactive).
	andreas at home:~ >

Here is server-output in debug-mode:

	bash-2.05# sshd -4 -d
	debug1: sshd version OpenSSH_3.1p1
	debug1: private host key: #0 type 0 RSA1
	debug1: read PEM private key done: type RSA
	debug1: private host key: #1 type 1 RSA
	debug1: read PEM private key done: type DSA
	debug1: private host key: #2 type 2 DSA
	debug1: Bind to port 22 on 0.0.0.0.
	Server listening on 0.0.0.0 port 22.
	Generating 768 bit RSA key.
	RSA key generation complete.
	debug1: Server will not fork when running in debugging mode.
	Connection from 127.0.0.1 port 1053
	debug1: Client protocol version 2.0; client software version
	OpenSSH_3.1p1
	debug1: match: OpenSSH_3.1p1 pat OpenSSH*
	Enabling compatibility mode for protocol 2.0
	debug1: Local version string SSH-1.99-OpenSSH_3.1p1
	debug1: list_hostkey_types: ssh-rsa,ssh-dss
	debug1: SSH2_MSG_KEXINIT sent
	debug1: SSH2_MSG_KEXINIT received
	debug1: kex: client->server aes128-cbc hmac-md5 none
	debug1: kex: server->client aes128-cbc hmac-md5 none
	debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
	debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
	debug1: dh_gen_key: priv key bits set: 121/256
	debug1: bits set: 1655/3191
	debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
	debug1: bits set: 1583/3191
	debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
	debug1: kex_derive_keys
	debug1: newkeys: mode 1
	debug1: SSH2_MSG_NEWKEYS sent
	debug1: waiting for SSH2_MSG_NEWKEYS
	debug1: newkeys: mode 0
	debug1: SSH2_MSG_NEWKEYS received
	debug1: KEX done
	debug1: userauth-request for user andreas service ssh-connection
	method none
	debug1: attempt 0 failures 0
	debug1: Starting up PAM with username "andreas"
	debug1: PAM setting rhost to "localhost"
	Failed none for andreas from 127.0.0.1 port 1053 ssh2
	debug1: userauth-request for user andreas service ssh-connection
	method publickey
	debug1: attempt 1 failures 1
	debug1: test whether pkalg/pkblob are acceptable
	debug1: temporarily_use_uid: 500/100 (e=0)
	debug1: trying public key file
	/home/andreas/.ssh/authorized_keys
	debug1: restore_uid
	debug1: temporarily_use_uid: 500/100 (e=0)
	debug1: trying public key file
	/home/andreas/.ssh/authorized_keys2
	debug1: restore_uid
	Failed publickey for andreas from 127.0.0.1 port 1053 ssh2
	debug1: userauth-request for user andreas service ssh-connection
	method publickey
	debug1: attempt 2 failures 2
	debug1: test whether pkalg/pkblob are acceptable
	debug1: temporarily_use_uid: 500/100 (e=0)
	debug1: trying public key file
	/home/andreas/.ssh/authorized_keys
	debug1: restore_uid
	debug1: temporarily_use_uid: 500/100 (e=0)
	debug1: trying public key file
	/home/andreas/.ssh/authorized_keys2
	debug1: restore_uid
	Failed publickey for andreas from 127.0.0.1 port 1053 ssh2
	debug1: userauth-request for user andreas service ssh-connection
	method keyboard-interactive
	debug1: attempt 3 failures 3
	debug1: keyboard-interactive devs
	debug1: auth2_challenge: user=andreas devs=
	debug1: kbdint_alloc: devices ''
	Failed keyboard-interactive for andreas from 127.0.0.1 port 1053
	ssh2
	debug1: userauth-request for user andreas service ssh-connection
	method password
	debug1: attempt 4 failures 4
	debug1: PAM Password authentication for "andreas" failed[7]:
	Authentication failure
	Failed password for andreas from 127.0.0.1 port 1053 ssh2
	debug1: userauth-request for user andreas service ssh-connection
	method passworddebug1: attempt 5 failures 5
	debug1: PAM Password authentication for "andreas" failed[7]:
	Authentication failure
	Failed password for andreas from 127.0.0.1 port 1053 ssh2
	debug1: userauth-request for user andreas service ssh-connection
	method passworddebug1: attempt 6 failures 6
	debug1: PAM Password authentication for "andreas" failed[7]:
	Authentication failure
	Failed password for andreas from 127.0.0.1 port 1053 ssh2
	Connection closed by 127.0.0.1
	debug1: Calling cleanup 0x8052ce0(0x0)
	debug1: Calling cleanup 0x8068e20(0x0)
	bash-2.05#

That is the part of /var/log/messages generated by PAM:

	Mar  9 20:14:55 home PAM-unix2[1045]: pam_sm_authenticate() called
	Mar  9 20:14:55 home PAM-unix2[1045]: username=[andreas]
	Mar  9 20:14:55 home PAM-unix2[1045]: wrong password, return \
		PAM_AUTH_ERR
	Mar  9 20:14:59 home PAM-unix2[1045]: pam_sm_authenticate() called
	Mar  9 20:14:59 home PAM-unix2[1045]: username=[andreas]
	Mar  9 20:14:59 home PAM-unix2[1045]: wrong password, return \
		PAM_AUTH_ERR
	Mar  9 20:15:04 home PAM-unix2[1045]: pam_sm_authenticate() called
	Mar  9 20:15:04 home PAM-unix2[1045]: username=[andreas]
	Mar  9 20:15:04 home PAM-unix2[1045]: wrong password, return \
		PAM_AUTH_ERR

Here is my /etc/pam.d/sshd:

	#%PAM-1.0
	auth     required       /lib/security/pam_unix.so       debug # \
		set_secrpc
	auth     required       /lib/security/pam_nologin.so
	auth     required       /lib/security/pam_env.so
	account  required       /lib/security/pam_unix.so
	password required       /lib/security/pam_pwcheck.so    md5 \
		use_cracklib
	password required       /lib/security/pam_unix.so       md5 \
		use_first_pass use_authtok
	session  required       /lib/security/pam_unix.so       none # \
		trace or debug
	session  required       /lib/security/pam_limits.so

This /etc/pam.d/sshd works fine with openssh-2.9.9p2 (SuSE-package).

My /etc/ssh/sshd_config is empty (all entries are comments) except 
for the sftp-subsystem. My ~/.ssh/config is empty too.

I think there is a problem with PAM, but I'm sure my configuration is 

valid. It seems that openssh passes a wrong password to PAM which 
results in an error.

So, much thanks for your effort fighting through my infos, I hope 
there is anybody who has any idea!

Ciao
Andreas