Solaris + PAM/LDAP + pubkey failing?

Eli Klein elijah at aclue.com
Wed Nov 10 04:11:58 EST 2004


I've got a Solaris 8 and 9 box using LDAP to successfully authenticate users.
I can get logged in via ssh using keyboard interactive (via PAM/LDAP). When 
I try to use pubkey authentication, both the pubkey as well as the fallback to
keyboard interactive always fail.  I've tried openssh versions as early as 3.4 
and as new as the 11-06 snapshot with the same behavior.  Everything works fine 
on a linux machine which is configured to use PAM/LDAP and has openssh 3.9p1 
installed.  Logs follow.

Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: userauth-request for user testuser service ssh-connection method publickey
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: attempt 1 failures 1
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: input_userauth_request: try method publickey
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: test whether pkalg/pkblob are acceptable
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 999/1002 (e=0/0)
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: trying public key file /home/testuser/.ssh/authorized_keys
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: restore_uid: 0/0
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: temporarily_use_uid: 999/1002 (e=0/0)
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: trying public key file /home/testuser/.ssh/authorized_keys2
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: secure_filename: checking '/home/testuser/.ssh'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: secure_filename: checking '/home/testuser'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: secure_filename: terminating check at '/home/testuser'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: matching key found: file /home/testuser/.ssh/authorized_keys2, line 3
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Found matching DSA key: 6d:28:e4:fa:93:3a:69:7e:57:1d:cf:c2:36:55:4d:e4
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: restore_uid: 0/0
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Postponed publickey for testuser from 1.2.3.4 port 33457 ssh2

** snip -- it automatically tries pubkey auth 2 more times with the same error **

Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: userauth-request for user testuser service ssh-connection method keyboard-interactive
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: attempt 5 failures 3
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: input_userauth_request: try method keyboard-interactive
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: keyboard-interactive devs 
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: auth2_challenge: user=testuser devs=
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: kbdint_alloc: devices 'pam'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: auth2_challenge_start: devices pam
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: kbdint_next_device: devices <empty>
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug1: auth2_challenge_start: trying authentication method 'pam'
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM: sshpam_init_ctx entering
Nov  9 10:00:07 sshserver sshd[27977]: [ID 384020 auth.debug] PAM[27977]: pam_set_item(7f6e8:conv)
Nov  9 10:00:07 sshserver sshd[27977]: [ID 225850 auth.debug] PAM[27977]: pam_authenticate(7f6e8, 1)
Nov  9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]: load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]: load_function: successful load of pam_sm_authenticate
Nov  9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]: load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]: load_function: successful load of pam_sm_authenticate
Nov  9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]: load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]: load_function: successful load of pam_sm_authenticate
Nov  9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]: load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_ldap.so.1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]: load_function: successful load of pam_sm_authenticate
Nov  9 10:00:07 sshserver sshd[27977]: [ID 334087 auth.debug] PAM[27977]: pam_get_user(7f6e8, 61746500, NULL)
Nov  9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: PAM: sshpam_thread_conv entering, 1 messages
Nov  9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: ssh_msg_send: type 1
Nov  9 10:00:07 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: ssh_msg_recv entering
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM: sshpam_query entering
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: ssh_msg_recv entering
Nov  9 10:00:07 sshserver sshd[27976]: [ID 800047 auth.info] Postponed keyboard-interactive for testuser from 1.2.3.4 port 33457 ssh2
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: PAM: sshpam_respond entering, 1 responses
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: ssh_msg_send: type 6
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM: sshpam_query entering
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: ssh_msg_recv entering
Nov  9 10:00:52 sshserver sshd[27977]: [ID 384020 auth.debug] PAM[27977]: pam_set_item(7f6e8:authtok)
Nov  9 10:00:52 sshserver last message repeated 1 time
Nov  9 10:00:52 sshserver sshd[27977]: [ID 334087 auth.debug] PAM[27977]: pam_get_user(7f6e8, 0, NULL)
Nov  9 10:00:52 sshserver sshd[27977]: [ID 800047 auth.debug] debug3: ssh_msg_send: type 9
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.error] error: PAM: Success for testuser from co-klein-linux.trans.corp
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug2: auth2_challenge_start: devices <empty>
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM: sshpam_free_ctx entering
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.debug] debug3: PAM: sshpam_thread_cleanup entering
Nov  9 10:00:52 sshserver sshd[27976]: [ID 800047 auth.info] Failed keyboard-interactive/pam for testuser from 1.2.3.4 port 33457 ssh2

Keyboard interactive fails as well, note the "error: PAM: Success".  If I move authorized_keys2 out
of the way, keyboard interactive works fine.

Any help is greatly appreciated.  

Thanks!

-Eli





More information about the openssh-unix-dev mailing list