Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3

Sangeeth Saravanaraj sangeeth.saravanaraj at
Thu Mar 6 05:46:18 EST 2014

I want to configure secure shell access to a Linux machine where allowed
users are stored in an sqlite3 database and not in the /etc/passwd,
/etc/shadow and /etc/group. I use PAM for user authentication. In this case
I use libpam_sqlite<>which
performs PAM actions like auth, account, password, etc on user data
stored in an sqlite3 database.

I have the following configuration in my /etc/pam.d/sshd

    auth        required    /lib/security/
    account     required    /lib/security/
    password    required    /lib/security/

When I tried to ssh to the box using a userid which is residing in the
sqlite3 database only (and not in /etc/passwd), the authentication failed.
The problem I found was, when an ssh is attempted, OpenSSH module is trying
to get the user info from the /etc/passwd file and when it found that the
user does not exist, it passes "#010#012#015#177INCORRECT" as the password
(and discards the password entered by the user) to the libpam_sqlite
module. Then obviously the libpam_sqlite3 denies access to the user because
the password is incorrect!

When looked into the OpenSSH code, I found that getpwnam() in
auth.c::getpwnamallow() sets pw = NULL and so the following message appears!

debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
Invalid user XXXXXX from A.B.C.D

Now, to the questions:

   1. Why does OpenSSH replaces the password entered by the user with the
   bad password - "\b\n\r\177INCORRECT" when the user is not present in the
   /etc/passwd file?
   2. Is there a way to tell OpenSSH not to override the password entered
   by the user?
   3. Is it really possible to authenticate a user based on an sqlite3
   database when the user record is not present in the /etc/passwd,
   /etc/shadow and /etc/group?

Thank you,


More information about the openssh-unix-dev mailing list