LinuxPAM woes on the 3.6 series of openssh portable - strangebehaviour

Darren Tucker dtucker at
Wed Dec 3 16:43:16 EST 2003

Nick Lange wrote:
>   I hate to ask what's going to boil down to a configuration issue (I
> think)... and before I start pouring through the
> code I'm hoping someone can just point out what's going on.
> Essentially, on a particular "flavor" of our redhat linux 8 boxes PAM
> always seems to be called/fail before any real
> authentication takes place. On other boxes, this is not the case.
> Normally this would not be a problem; however, in a
> three-failed-passwords and you are locked out environment, this
> renders public key's almost useless. (Three successful
> authentications via public key will register three failed authentication
> attempts).

This is probably due to the "none" authentication attempted at the start
of the SSH conversation.  Previous versions would skip this test if
PermitEmptyPasswords was "no", however the owl-always-auth changes
introduced in 3.6.1p2 (?) meant that it would always be attempted.

For a better description, see (near the bottom):

There's a patch against 3.6.1p2 there too:

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list