OpenSSH Authentication on Solaris w/ NIS+ Problem
Karsten Künne
kuenne at rentec.com
Mon Oct 6 16:09:24 EST 2003
On Sunday 05 October 2003 16:12, Michael Ziselman wrote:
> Hello,
>
> I am having a very aggrivating problem, and I will try and provide all
> of the necessary information. I have openssh-3.7.1p2 with openssl-0.9.6k
> installed on Solaris 8. Here is what I've been able to determine so far:
>
> 1. Local account authentication works fine (non-NIS+).
> 1a. NIS+ is running at security level 2
> 2. Telnet authentication works fine.
> 2a. When I use the SSH client, from another UNIX machine, it works fine --
> only windows SSH clients (I've tried SecureCRT and SSH.com's SSH client)
> have problems connecting. 3. nscd is not running (I stopped it for now, but
> I don't think it matters) 3a. PAM is enabled in my sshd_config (see below)
> 4. When I log in via telnet (for example), it works; and then I try that
> same ID that wouldn't work originally via SSH, it then works! 5. When I log
> in to master server via SSH it works fine (it only doesn't work when I try
> to log into client servers). 6. When I try keyboard interactive
> authentication (instead of Password), it works, but it asks me TWICE for
> the login info (the first time fails, the second time succeeds).
>
> TO SUMMARIZE: I have problems WHEN: I log in via SSH to the non-master NIS+
> server with a non-local account (NIS+ account) with a Windows client via
> 'Password' authentication. I'd love to see someone figure THIS ONE out...
>
Your Windows clients are using password authentication. That doesn't work with
ssh 3.7.1p2 on Solaris because the sshd has to be able to read the encrypted
password out of NIS+. But if you run NIS+ at security level 2 the user needs
to authenticate to NIS+ first via an explicit or implicit keylogin in order
to be able to read his/her own encrypted password. Other users are not able
to read it and that includes the root user on NIS+ clients. One exception is
the root user (or machine principal) of the NIS+ master, that's why it works
there. If you succeed to login via telnet then the telnetd does a keylogin
and then stores your key with the keyserver, that's why subsequent ssh logins
work until you reboot the machine (or restart the keyserver).
You should use PAM authentication via keyboard-interactive with your Windows
clients. I don't know anything about the 2 clients you tried but I know that
Putty works with protocol version 2 and keyboard-interactive (tried it
myself).
> Here's my ./configure for openssh:
>
> ----------------------------------------------------------------------
> configured by ./configure, generated by GNU Autoconf 2.52,
> with options \"--prefix=/usr/openssh --with-pam --without-rsh
> --with-pid-dir=/var/run --with-md5-passwords --with-ssl-dir=/usr/local/ssl
> --with-mantype=man\"
> ----------------------------------------------------------------------
>
> Here is my sshd.conf file:
>
> ----------------------------------------------------------------------
> Port 22
> Protocol 2
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> HostKey /usr/openssh/etc/ssh_host_key
> # HostKeys for protocol version 2
> HostKey /usr/openssh/etc/ssh_host_rsa_key
> HostKey /usr/openssh/etc/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
>
> LoginGraceTime 2m
> PermitRootLogin no
> #StrictModes yes
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in
> /usr/openssh/etc/ssh_known_hosts #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCreds yes
>
> # Set this to 'yes' to enable PAM authentication (via challenge-response)
> # and session processing. Depending on your PAM configuration, this may
> # bypass the setting of 'PasswordAuthentication'
> UsePAM yes
>
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> PrintMotd yes
> #PrintLastLog yes
> KeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> PidFile /var/run/sshd.pid
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> # override default of no subsystems
> Subsystem sftp /usr/openssh/libexec/sftp-server
> ----------------------------------------------------------------------
>
> Here is what it looks like when I use a Windows SSH client (with IP
> addresses changed to protect the innocent):
>
> bash-2.03# /usr/openssh/sbin/sshd -d -d -d
> debug3: Seeding PRNG from /usr/openssh/libexec/ssh-rand-helper
> debug2: read_server_config: filename /usr/openssh/etc/sshd_config
> debug1: sshd version OpenSSH_3.7.1p2
> debug1: private host key: #0 type 0 RSA1
> debug3: Not a RSA1 key file /usr/openssh/etc/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug3: Not a RSA1 key file /usr/openssh/etc/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug1: Server will not fork when running in debugging mode.
> Connection from 10.0.0.1 port 1583
> debug1: Client protocol version 2.0; client software version 3.4.5
> SecureCRT debug1: no match: 3.4.5 SecureCRT
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
> debug3: privsep user:group 1002:1002
> debug1: permanently_set_uid: 1002/1002
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2:
> kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,
>rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2:
> kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,
>rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2:
> kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,h
>mac-md5-96 debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,h
>mac-md5-96 debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2:
> kex_parse_kexinit: ssh-dss,ssh-rsa
> debug2: kex_parse_kexinit:
> aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour
> debug2: kex_parse_kexinit:
> aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: Network child is on pid 801
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 2046 2046
> debug3: mm_request_send entering: type 1
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug2: dh_gen_key: priv key bits set: 133/256
> debug2: bits set: 786/1535
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug2: bits set: 780/1535
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 4
> debug3: monitor_read: checking request 4
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 12b3c0(55)
> debug3: mm_request_send entering: type 5
> debug2: monitor_read: 4 used once, disabling now
> debug3: mm_request_receive entering
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: mm_request_receive_expect entering: type 5
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user student service ssh-connection method
> none debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 6
> debug3: monitor_read: checking request 6
> debug3: mm_answer_pwnamallow
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: mm_request_receive_expect entering: type 7
> debug3: mm_request_receive entering
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 7
> debug2: monitor_read: 6 used once, disabling now
> debug3: mm_request_receive entering
> debug2: input_userauth_request: setting up authctxt for student
> debug3: mm_start_pam entering
> debug3: mm_request_send entering: type 43
> debug3: monitor_read: checking request 43
> debug1: PAM: initializing for "student"
> debug3: mm_inform_authserv entering
> debug3: Trying to reverse map address 10.0.0.1.
> debug3: mm_request_send entering: type 3
> debug2: input_userauth_request: try method none
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug1: PAM: setting PAM_RHOST to "10.0.0.1-my.host.com"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug2: monitor_read: 43 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 3
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 10
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> Failed none for student from 10.0.0.1 port 1583 ssh2
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> Failed none for student from 10.0.0.1 port 1583 ssh2
> debug1: userauth-request for user student service ssh-connection method
> password debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: monitor_read: checking request 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> Failed password for student from 10.0.0.1 port 1583 ssh2
> debug3: mm_request_receive entering
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> Failed password for student from 10.0.0.1 port 1583 ssh2
>
> Thanks.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Subtlety is the art of saying what you think and getting out of the way
before it is understood.
More information about the openssh-unix-dev
mailing list