SSHD Bug with Pam/Winbind on FreeBSD ver5.2

Doug Martin drearwig at hotmail.com
Wed Aug 18 08:42:00 EST 2004 

I've reproduced this bug in versions openssh-3.7p1 and openssh-3.8p1

I've verfived that it works PERFECTLY in versions openssh-3.6p1 and 
openssh-2.9p2

I have not tested any other versions.

The problem is sshd will not authenticate passwords off a NT4 domain using 
winbind and pam.

Broken Debug output is:
debug1: PAM: initializing for "user"
debug1: PAM: setting PAM_RHOST to "user.domain.com"
Failed none for user from 192.168.1.21 port 3971 ssh2
Failed none for user from 192.168.1.21 port 3971 ssh2
debug1: userauth-request for user user service ssh-connection method 
password
debug1: attempt 1 failures 1
Failed password for user from 192.168.1.21 port 3971 ssh2
Failed password for user from 192.168.1.21 port 3971 ssh2


Working Debug output is:
debug1: Starting up PAM with username "user"
debug1: PAM setting rhost to "user.domain.com"
Failed none for user from 192.168.1.21 port 3948 ssh2
Failed none for user from 192.168.1.21 port 3948 ssh2
debug1: userauth-request for user user service ssh-connection method 
password
debug1: attempt 1 failures 1
debug1: PAM Password authentication accepted for user "user"
Accepted password for user from 192.168.1.21 port 3948 ssh2
Accepted password for user from 192.168.1.21 port 3948 ssh2
debug1: monitor_child_preauth: user has been authenticated by privileged 
process
debug1: Entering interactive session for SSH2.

To reproduce:
Build openssh with --with-pam option
Install samba
Your smb.conf should be running in:
   security = domain

And your /etc/pam.d/sshd should look like this:
# auth
auth            sufficient      pam_winbind.so
auth            sufficient      pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_unix.so             no_warn 
try_first_pass
account         sufficient      pam_winbind.so
account         required        pam_unix.so
session         required        pam_permit.so
password        required        pam_unix.so      no_warn try_first_pass

And just attempt to login using a domain user/pass

I'm using an older version of sshd now, but I thought I would report the 
problem because I spent many hours finding it.

I'm also not on this list so please reply to me with questions.

Thank you!

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

More information about the openssh-unix-dev mailing list