Does PAM work at all with ssh 3.4?
I'm playing around with the ssh 1:3.4p1-1 package, and I can't get it to
authenticate via pam with any pam configuration at all.
Here's the relevant part of my sshd_config:
Protocol 2
UsePrivilegeSeparation yes
PubkeyAuthentication no
PasswordAuthentication no
PAMAuthenticationViaKbdInt yes
I want pam, and only pam, to be used for authentication, but it doesn't
seem like pam works at all. Even with a trivial PAM configuration, no
logins are possible. Here's my /etc/pam.d/ssh:
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
password required pam_permit.so
Even with this pam config, PAMAuthenticationViaKbdInt doesn't work:
$ ssh -v -v -v localhost
OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
[snip]
debug1: authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: authentications that can continue: keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug1: no more auth methods to try
Permission denied (keyboard-interactive).
debug1: Calling cleanup 0x8063a9c(0x0)
The server in debug mode shows:
$ sshd -d -d -d
debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-1
[snip]
debug1: KEX done
debug1: userauth-request for user lunz service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for lunz
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 37
debug3: monitor_read: checking request 37
debug1: Starting up PAM with username "lunz"
debug3: Trying to reverse map address 127.0.0.1.
debug1: PAM setting rhost to "localhost"
debug2: monitor_read: 37 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for lunz from 127.0.0.1 port 38116 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
Failed none for lunz from 127.0.0.1 port 38116 ssh2
debug1: userauth-request for user lunz service ssh-connection method keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=lunz devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for lunz from 127.0.0.1 port 38116 ssh2
Connection closed by 127.0.0.1
debug1: Calling cleanup 0x806be4c(0x0)
debug1: Calling cleanup 0x8052b48(0x0)
debug1: Calling cleanup 0x806be4c(0x0)
Does anyone know if pam has worked at all since the privilege separation
changes? If so, what am I doing wrong?
thanks,
Jason
--
To UNSUBSCRIBE, email to debian-ssh-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: