PAM auth stage rejection not working

Nick Burrett nick at dsvr.net
Thu Jan 22 02:11:51 EST 2004



Hi,

I have an auth module for PAM that I wrote a few years ago called 
pam_vsd.so.  The idea is that a user must have a certain privilege 
before they can successfully authenticate.  Without the privilege the 
PAM module will return PAM_PERM_DENIED.

However I find that in OpenSSH 3.7.1p2, I can easily subvert this check 
simply by hitting return 3 times on connection i.e.


[nick at localhost pam.d]$ ssh nick at host.dsvr.net
Server host.dsvr.net
Password:  <hit return>
Password:  <hit return>
Password:  <hit return>
nick at host.dsvr.net's password: <enter real password>
[nick at host.dsvr.net nick]$


Syslog shows that indeed pam_vsd.so is correctly rejecting the 
connection, but then why does it fail the keyboard-interactive/pam login 
and then allow another type of login ?

I have been using this module for a few years now and it works fine on 
other services such as FTP, SMTP, POP3 and IMAP.

Any thoughts ?


Regards,


Nick

Extract from syslog:

PAM_pwdb[25749]: (sshd) session closed for user nick
PAM_pwdb[25761]: authentication failure; (uid=0) -> nick for sshd service
PAM-vsd[25761]: user nick does not have telnet privilege
sshd[25759]: error: PAM: Authentication failure
PAM_pwdb[25762]: authentication failure; (uid=0) -> nick for sshd service
PAM-vsd[25762]: user nick does not have telnet privilege
sshd[25759]: error: PAM: Authentication failure
PAM_pwdb[25763]: authentication failure; (uid=0) -> nick for sshd service
PAM-vsd[25763]: user nick does not have telnet privilege
sshd[25759]: error: PAM: Authentication failure
sshd[25759]: Failed keyboard-interactive/pam for nick from xxx.xx.xxx.xx 
port 47018 ssh2
sshd[25759]: Accepted password for nick from xxx.xx.xxx.xx port 47018 ssh2
PAM_pwdb[25765]: (sshd) session opened for user nick by (uid=0)


$ cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nodelay
auth       required     /lib/security/pam_vsd.so priv=telnet
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_limits.so


The contents of sshd_config are:

Port 22
Protocol 2,1
HostKey /usr/local/etc/ssh/ssh_host_key
HostKey /usr/local/etc/ssh/ssh_host_rsa_key
HostKey /usr/local/etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
PrintLastLog no
SyslogFacility AUTH
LogLevel INFO
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
UsePAM yes
#ChallengeResponseAuthentication no
KerberosAuthentication no
UseLogin no
Banner /usr/local/etc/issue.net
Subsystem       sftp    /usr/libexec/openssh/sftp-server
MaxStartups 10:30:60



-- 
Nick Burrett
Network Engineer, Designer Servers Ltd.   http://www.dsvr.co.uk




More information about the openssh-unix-dev mailing list