3.6.1p2 - UsePAM & challenge response

Darren Tucker dtucker at zip.com.au
Mon Sep 15 10:21:50 EST 2003

Mike Bethune wrote:
> > On Sun, 2003-09-14 at 10:32, Mike Bethune wrote:
> > > 4) try to connect to your server with it: it doesn't work.

> djm at mindrot.org wrote:
> > "It doesn't work" is not a bug report.

> This is how you alienate anyone from reporting anything. If you
> understood english, this would be good enough.  Why develop open source
> software if you don't want to get feedback.  Now, I'll just fix the
> code myself and not give it to you.

It's disappointing that you feel that way, but that is of course you right
to behave that way should you choose to do so.

First, if you haven't read Simon Tatham's "How to Report Bugs Effectively"
[0], go do so now.  We'll wait.

Now, consider Damien's point of view.  OpenSSH has a number of
configure-time options, runs on dozens of platforms out of the box, each
of which have potentially dozens of variants.  This means there are
literally thousands of possible combinations.

So far, in the 4 messages you have sent, you have not provided:

* Server operating system type and version
* Configure and compile-time options (except you're probably using
* Version of PuTTY

You have, however, provided a lot of attitude.  This is not a substitute.

To assist in diagnosing your problem, you could also supply
* server-side debugging for your failed connection [1]
* PuTTY packet log (be aware that your password will be logged if you type
it, so delete it from the log before sending it).

Now, it so happens that I have PuTTY (0.53b) handy so I attempted to
reproduce your problem.  I was unable to do so.  I configured PuTTY to
connect with SSHv1 only and attempt "TIS or Cryptocard auth".  The server
is Redhat 8, OpenSSH code from today's CVS, configured with "./configure
--with-pam".  Here's what I got in the PuTTY window:

login as: dtucker
Sent username "dtucker"
Response: [type my password here]
Last login: Sun Sep 14 16:44:59 2003 from dingo.dodgy.net.au
debug1: PAM: reinitializing credentials
debug1: permanently_set_uid: 500/500
debug1: PAM: retrieving environment
[login stuff snipped]

[dtucker at gate dtucker]$ logout

I have attached my server-side debugging for your comparison.

[0] http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
[1] http://www.snailbook.com/faq/general-debugging.auto.html

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
# ./sshd -o PasswordAuthentication=no -o ChallengeResponseAuthentication=yes -o UsePAM=yes -o UsePrivilegeSeparation=no -p 2022 -ddd -o Protocol=1
debug2: read_server_config: filename /usr/local/etc/sshd_config
debug1: sshd version OpenSSH_3.7p1
debug1: private host key: #0 type 0 RSA1
socket: Address family not supported by protocol
debug1: Bind to port 2022 on
Server listening on port 2022.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from port 1148
debug1: Client protocol version 1.5; client software version PuTTY-Release-0.53b
debug1: no match: PuTTY-Release-0.53b
debug1: Local version string SSH-1.5-OpenSSH_3.7p1
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: blowfish
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: PAM: initializing for "dtucker"
debug3: Trying to reverse map address
debug1: PAM: setting PAM_RHOST to "dingo.dodgy.net.au"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: Attempting authentication for dtucker.
debug1: rcvd SSH_CMSG_AUTH_TIS
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug1: sending challenge 'Password: '
debug2: PAM: sshpam_respond
debug3: ssh_msg_send: type 6
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 0
debug3: do_pam_account: pam_acct_mgmt = 0
Accepted challenge-response for dtucker from port 1148
debug1: session_new: init
debug1: session_new: session 0
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/7
debug1: PAM: setting PAM_TTY to "/dev/pts/7"
debug1: PAM: establishing credentials
debug2: fd 4 setting TCP_NODELAY
debug1: Entering interactive session.
debug2: fd 3 setting O_NONBLOCK
debug2: fd 7 is O_NONBLOCK
debug2: fd 9 setting O_NONBLOCK
debug2: fd 10 setting O_NONBLOCK
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug1: Setting controlling tty using TIOCSCTTY.

More information about the openssh-unix-dev mailing list