ssh daemon fails to call pam when user does not exist in /etc/passwd

Jayarama Vijay Kumar jvijayku at cisco.com
Tue Jun 15 19:14:46 EST 2004


Hi
     We recenlty ugraded to openssh-3.7.1p2.  Our architecture is
  ssh daemon uses pam module which sends request to  remote 
radius/tacacs+ servers based on configuration.
  Now if I create the user in /etc/passwd, then ssh daemon calls pam and 
everthing works fine.
  But if the user is not present in /etc/passwd, then ssh daemon is not 
calling pam. The debug log is given below. All these were working in 
prior versions.  Any idea why there is dependency on local user accounts 
?  I have also given sshd's pam file

Any help is greatly appreciated
vijay

debug log
=======

debug1: userauth-request for user jvijayku service ssh-connection method 
none
debug1: attempt 0 failures 0
Illegal user jvijayku from 64.104.131.187
input_userauth_request: illegal user jvijayku
debug1: PAM: initializing for "jvijayku"
debug3: Trying to reverse map address 64.104.131.187.
debug1: PAM: setting PAM_RHOST to "64.104.131.187"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: input_userauth_request: try method none
Failed none for illegal user jvijayku from 64.104.131.187 port 33729 ssh2
debug1: userauth-request for user jvijayku service ssh-connection method 
keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=jvijayku devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 1
Postponed keyboard-interactive for illegal user jvijayku from 
64.104.131.187 port 33729 ssh2
debug3: ssh_msg_recv entering


PAM file
=======
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so
 

auth       required   pam_env.so
 
auth    [authinfo_unavail=ignore auth_err=done success=done default=ok] 
/isan/lib/libpam_aaa_auth.so
                                                                                

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth       required   pam_unix.so nullok likeauth try_first_pass

account    required   pam_unix.so
session    required   pam_unix.so

session    optional   pam_lastlog.so
 
session    optional   pam_motd.so

session    optional   pam_mail.so standard noenv

 
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok 
shadow md5
password    required      /lib/security/pam_deny.so
 







More information about the openssh-unix-dev mailing list