ssh daemon fails to call pam when user does not exist in /etc/passwd

Damien Mascord tusker at tusker.org
Mon Jul 5 16:34:47 EST 2004 

Hi Darren,

I am attempting to use a new NSS method for logins (libnss-mysql), and 
have come across this behaviour as well.

Using su - <username> it works as expected, and uses pam_unix and then 
nss-mysql to authenticate.

Using ssh, it doesn't even seem to get to pam_unix at all.

How does kerberos or ldap only installations work ?

Even this patch does not seem to enable the new NSS method to work.

It seems as though the account is thought of as expired:

debug3: mm_answer_pwnamallow
debug3: auth_shadow_acctexpired: today 12604 sp_expire 0 days left -12604
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0

Hmm... ok... after restarting ssh, without the patch, it allows the user 
to login now:

debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1

So, I suppose this email is to let you know that the patch breaks 
something in 3.8.1p1 :)

Damien

Darren Tucker wrote:

> Jayarama Vijay Kumar wrote:
> 
>>     We recenlty ugraded to openssh-3.7.1p2.  Our architecture is
>>  ssh daemon uses pam module which sends request to  remote 
>> radius/tacacs+ servers based on configuration.
>>  Now if I create the user in /etc/passwd, then ssh daemon calls pam 
>> and everthing works fine.
>>  But if the user is not present in /etc/passwd, then ssh daemon is not 
>> calling pam. The debug log is given below. All these were working in 
>> prior versions.  Any idea why there is dependency on local user 
>> accounts ?  I have also given sshd's pam file
> 
> 
> I posted a patch for this a while back (attached).  It's only been 
> lightly tested but it's worth a try.
> 
> 
> ------------------------------------------------------------------------
> 
> Index: auth2-chall.c
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2-chall.c,v
> retrieving revision 1.22
> diff -u -p -r1.22 auth2-chall.c
> --- auth2-chall.c	26 May 2003 11:36:13 -0000	1.22
> +++ auth2-chall.c	1 Jun 2004 23:55:21 -0000
> @@ -275,12 +275,10 @@ input_userauth_info_response(int type, u
>  	}
>  	packet_check_eom();
>  
> -	if (authctxt->valid) {
> -		res = kbdintctxt->device->respond(kbdintctxt->ctxt,
> -		    nresp, response);
> -	} else {
> -		res = -1;
> -	}
> +	res = kbdintctxt->device->respond(kbdintctxt->ctxt,
> +	    nresp, response);
> +	if (!authctxt->valid)
> +		res = 1;	/* keep going if login invalid */
>  
>  	for (i = 0; i < nresp; i++) {
>  		memset(response[i], 'r', strlen(response[i]));
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


-- 
Damien Mascord (tusker at tusker dot org)
GPG key 2CB181BE / 93B2 EF21 0C7C F022 F467  7966 219E 92B3 2CB1 81BE
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-debug.txt
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040705/6fafa718/attachment.txt

More information about the openssh-unix-dev mailing list