OpenSSH >=7.0 and pam_unix.so
Yemelyanenko Fyodor
fyodor_e at hotmail.com
Mon Mar 19 17:44:57 AEDT 2018
Hello!
I have custom linux image based on CentOS 6.3
Linux kernel is 3.10.72-72
I now upgrading OpenSSH from 3.8 version to latest possible. Primarily I'm interesting to upgrade SSHD
I've build openssh got from https://ftp2.eu.openbsd.org/pub/OpenBSD/OpenSSH/portable/ with following commands:
./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/libexec/openssh --with-pam --with-privsep-path=/var/empty/sshd --without-kerberos
make
Build succeeded and able to deploy SSHD on my Linux.
SSHD successfully started.
If I use version <=6.9 I'm able to successfully login after upgrade (tried with 5.1, 6.5 and 6.9)
If I use version >=7.0 I'm not able to login and get following error in syslog (tried with 7.0, 7.5 and 7.6)
Mar 17 21:31:45 sshd[7961]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.170 user=admin
I also tried to upgrade pam_unix.so to version found in LinuxPAM 1.3.
For me it seems to be some issue with SSHD version >=7.0
May be there were some change related to pam_unix.so usage?
My /etc/pam.d/sshd file
#%PAM-1.0
auth include system-auth
account include system-auth
account required pam_nologin.so
account required pam_disabled.so
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
and /etc/pam.d/system-auth file
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass likeauth nodelay
auth required pam_deny.so
account required pam_unix.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
More information about the openssh-unix-dev
mailing list