OpenSSH >=7.0 and pam_unix.so

Yemelyanenko Fyodor fyodor_e at hotmail.com
Mon Mar 19 17:44:57 AEDT 2018


Hello!

I have custom linux image based on CentOS 6.3
Linux kernel is 3.10.72-72

I now upgrading OpenSSH from 3.8 version to latest possible. Primarily I'm interesting to upgrade SSHD
I've build openssh got from https://ftp2.eu.openbsd.org/pub/OpenBSD/OpenSSH/portable/ with following commands:
    ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/libexec/openssh --with-pam --with-privsep-path=/var/empty/sshd --without-kerberos
    make

Build succeeded and able to deploy SSHD on my Linux.
SSHD successfully started.
If I use version <=6.9 I'm able to successfully login after upgrade (tried with 5.1, 6.5 and 6.9)
If I use version >=7.0 I'm not able to login and get following error in syslog (tried with 7.0, 7.5 and 7.6)

Mar 17 21:31:45 sshd[7961]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.170 user=admin

I also tried to upgrade pam_unix.so to version found in LinuxPAM 1.3.

For me it seems to be some issue with SSHD version >=7.0
May be there were some change related to pam_unix.so usage?

My /etc/pam.d/sshd file

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
account    required     pam_nologin.so
account    required     pam_disabled.so
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

and /etc/pam.d/system-auth file

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass likeauth nodelay
auth        required      pam_deny.so

account     required      pam_unix.so

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so



More information about the openssh-unix-dev mailing list