[Bug 159] New: Password-Authentication with openssh-3.1p1 fails
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Mar 12 20:32:20 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=159
Summary: Password-Authentication with openssh-3.1p1 fails
Product: Portable OpenSSH
Version: 3.1p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: fam.muck at telda.net
CC: fam.muck at telda.net
Hallo out there,
I've got a strange problem after updating my openssh-installation
from 2.9.9p2 (SuSE-package) to openssh-3.1p1 (Installation from the
source with a modified src.rpm). I will give you as much information
as possible and I hope there is anybody who can help me. I asked in
detail in usenet-groups but nobody had any idea to fix my problem by
configuration.
My system is a SuSE-Linux 7.2:
-kernel 2.4.16-4GB (original SuSE-7.2-package)
-pam 0.75 (SuSE-7.3-package after rebuilding)
-previous openssh-version: 2.9.9p2 (original SuSE-7.2-package)
On this system I could work with openssh as expected: authentication
works with pubkey- and password-authentication (other
authentication-methods were not allowed). After updating my
openssh-package to the current version pubkey-authentication still
works but password-authentication fails in every case.
I compiled openssh-3.1p1 as follows (options included in the
src.rpm):
./configure \
--mandir=%{_mandir} \
--prefix=%{prefix} \
--infodir=%{_infodir} \
--sysconfdir=/etc/ssh \
--libexecdir=%{prefix}/lib/ssh \
--with-tcp-wrappers \
--with-pam
make
Software- and package-building works fine.
After installation I can connect to localhost via pubkey-
authentication (server running in debug-mode):
andreas at home:~ > ssh localhost
Enter passphrase for key '/home/andreas/.ssh/id_rsa':
Last login: Sat Mar 9 19:48:41 2002 from console
Have a lot of fun...
debug1: PAM establishing creds
Environment:
USER=andreas
LOGNAME=andreas
HOME=/home/andreas
PATH=/usr/bin:/bin:/usr/sbin:/sbin
MAIL=/var/mail/andreas
SHELL=/bin/bash
SSH_CLIENT=127.0.0.1 1046 22
SSH_TTY=/dev/pts/4
TERM=xterm
andreas at home:~ >
When I disable my authorized_keys-files I would expect
password-authentication - which takes place, but I've got no
connection even if I type my correct password (you can be sure that
the password used is correct):
andreas at home:~ > mv ./.ssh/authorized_keys2 \
./.ssh/authorized_keys2.orig
andreas at home:~ > ssh localhost
andreas at localhost's password:
Permission denied, please try again.
andreas at localhost's password:
Permission denied, please try again.
andreas at localhost's password:
Permission denied (publickey,password,keyboard-interactive).
andreas at home:~ >
Here is server-output in debug-mode:
bash-2.05# sshd -4 -d
debug1: sshd version OpenSSH_3.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 1053
debug1: Client protocol version 2.0; client software version
OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 121/256
debug1: bits set: 1655/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1583/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user andreas service ssh-connection
method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "andreas"
debug1: PAM setting rhost to "localhost"
Failed none for andreas from 127.0.0.1 port 1053 ssh2
debug1: userauth-request for user andreas service ssh-connection
method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 500/100 (e=0)
debug1: trying public key file
/home/andreas/.ssh/authorized_keys
debug1: restore_uid
debug1: temporarily_use_uid: 500/100 (e=0)
debug1: trying public key file
/home/andreas/.ssh/authorized_keys2
debug1: restore_uid
Failed publickey for andreas from 127.0.0.1 port 1053 ssh2
debug1: userauth-request for user andreas service ssh-connection
method publickey
debug1: attempt 2 failures 2
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 500/100 (e=0)
debug1: trying public key file
/home/andreas/.ssh/authorized_keys
debug1: restore_uid
debug1: temporarily_use_uid: 500/100 (e=0)
debug1: trying public key file
/home/andreas/.ssh/authorized_keys2
debug1: restore_uid
Failed publickey for andreas from 127.0.0.1 port 1053 ssh2
debug1: userauth-request for user andreas service ssh-connection
method keyboard-interactive
debug1: attempt 3 failures 3
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=andreas devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for andreas from 127.0.0.1 port 1053
ssh2
debug1: userauth-request for user andreas service ssh-connection
method password
debug1: attempt 4 failures 4
debug1: PAM Password authentication for "andreas" failed[7]:
Authentication failure
Failed password for andreas from 127.0.0.1 port 1053 ssh2
debug1: userauth-request for user andreas service ssh-connection
method passworddebug1: attempt 5 failures 5
debug1: PAM Password authentication for "andreas" failed[7]:
Authentication failure
Failed password for andreas from 127.0.0.1 port 1053 ssh2
debug1: userauth-request for user andreas service ssh-connection
method passworddebug1: attempt 6 failures 6
debug1: PAM Password authentication for "andreas" failed[7]:
Authentication failure
Failed password for andreas from 127.0.0.1 port 1053 ssh2
Connection closed by 127.0.0.1
debug1: Calling cleanup 0x8052ce0(0x0)
debug1: Calling cleanup 0x8068e20(0x0)
bash-2.05#
That is the part of /var/log/messages generated by PAM:
Mar 9 20:14:55 home PAM-unix2[1045]: pam_sm_authenticate() called
Mar 9 20:14:55 home PAM-unix2[1045]: username=[andreas]
Mar 9 20:14:55 home PAM-unix2[1045]: wrong password, return \
PAM_AUTH_ERR
Mar 9 20:14:59 home PAM-unix2[1045]: pam_sm_authenticate() called
Mar 9 20:14:59 home PAM-unix2[1045]: username=[andreas]
Mar 9 20:14:59 home PAM-unix2[1045]: wrong password, return \
PAM_AUTH_ERR
Mar 9 20:15:04 home PAM-unix2[1045]: pam_sm_authenticate() called
Mar 9 20:15:04 home PAM-unix2[1045]: username=[andreas]
Mar 9 20:15:04 home PAM-unix2[1045]: wrong password, return \
PAM_AUTH_ERR
Here is my /etc/pam.d/sshd:
#%PAM-1.0
auth required /lib/security/pam_unix.so debug # \
set_secrpc
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_env.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_pwcheck.so md5 \
use_cracklib
password required /lib/security/pam_unix.so md5 \
use_first_pass use_authtok
session required /lib/security/pam_unix.so none # \
trace or debug
session required /lib/security/pam_limits.so
This /etc/pam.d/sshd works fine with openssh-2.9.9p2 (SuSE-package).
My /etc/ssh/sshd_config is empty (all entries are comments) except
for the sftp-subsystem. My ~/.ssh/config is empty too.
I think there is a problem with PAM, but I'm sure my configuration is
valid. It seems that openssh passes a wrong password to PAM which
results in an error.
So, much thanks for your effort fighting through my infos, I hope
there is anybody who has any idea!
Ciao
Andreas
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list