Bug#242119: What seems to be going on with sshd

To: 242119@bugs.debian.org, 242119-submitter@bugs.debian.org, control@bugs.debian.org
Subject: Bug#242119: What seems to be going on with sshd
From: "Nikita V. Youshchenko" <yoush@cs.msu.su>
Date: Thu, 13 May 2004 14:17:58 +0400
Message-id: <[🔎] 200405131417.58692@zigzag.lvk.cs.msu.su>
Reply-to: "Nikita V. Youshchenko" <yoush@cs.msu.su>, 242119@bugs.debian.org

severity 242119 important
thanks

Hello,

I've spent two hours trying to find out why ssh 3.8 breaks logins to our 
terminal that use ldap auth. This is what I found.

In ssh 3.6, "password" auth method used PAM.

In ssh 3.8, "password" auth method does not use PAM, regardless of "UsePAM" 
setting. "man sshd_config" states the following about "UsePAM":
 
    UsePAM  Enables PAM authentication (via challenge-response) and session
             set up.  If you enable this, you should probably disable
             PasswordAuthentication.

UsaPAM affects another auth method, namely "keyboard-interactive"
When logging using openssh client, after "password" method fails for LDAP 
user, "keyboard-interactive" method is also tried, and succeeds.
This is logged:

May 13 14:08:33 pride sshd[9502]: debug1: Client protocol version 2.0; 
client software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-12
May 13 14:08:33 pride sshd[9502]: debug1: match: OpenSSH_3.6.1p2 Debian 
1:3.6.1p2-12 pat OpenSSH*
May 13 14:08:33 pride sshd[9502]: debug1: Enabling compatibility mode for 
protocol 2.0
May 13 14:08:33 pride sshd[9502]: debug1: Local version string 
SSH-1.99-OpenSSH_3.8p1 Debian 1:3.8p1-3
May 13 14:08:33 pride sshd[9502]: debug1: PAM: initializing for "test"
May 13 14:08:33 pride sshd[9502]: debug1: PAM: setting PAM_RHOST to 
"zigzag.lvk.cs.msu.su"
May 13 14:08:33 pride sshd[9502]: debug1: PAM: setting PAM_TTY to "ssh"
May 13 14:08:33 pride sshd[9502]: Failed none for test from 158.250.17.23 
port 43327 ssh2

At this point, "password" auth failed, and other methods are being tried.

May 13 14:08:33 pride sshd[9502]: debug1: temporarily_use_uid: 3801/100 
(e=0/0)
May 13 14:08:33 pride sshd[9502]: debug1: trying public key 
file /home/test/.ssh/authorized_keys
May 13 14:08:33 pride sshd[9502]: debug1: restore_uid: 0/0
May 13 14:08:33 pride sshd[9502]: debug1: temporarily_use_uid: 3801/100 
(e=0/0)
May 13 14:08:33 pride sshd[9502]: debug1: trying public key 
file /home/test/.ssh/authorized_keys2
May 13 14:08:33 pride sshd[9502]: debug1: restore_uid: 0/0
May 13 14:08:35 pride sshd[9504]: (pam_unix) check pass; user unknown
May 13 14:08:35 pride sshd[9504]: (pam_unix) authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=zigzag.lvk.c
s.msu.su
May 13 14:08:35 pride sshd[9502]: debug1: PAM: num PAM env strings 0
May 13 14:08:35 pride sshd[9502]: Accepted keyboard-interactive/pam for 
test from 158.250.17.23 port 43327 ssh2

At this point, "keyboard-interactive" method succeeds.

However, other ssh clients don't know anything about "keyboard-interactive" 
method. E.g. when trying to ssh from a Solaris box with ssh2, "password" 
method failes and login is disallowed.
Similar problems happens with different ssh clients running under Windows.

So the breaking change is that PAM is no longer used for "password" auth. 
This really breaks networks where different operating systems are used.
That's why I am upgrading this bug's severity to "important".

Reply to:

Prev by Date: Bug#242462: [bugzilla-daemon@mindrot.org: [Bug 867] configure fails to find res_query/dn_expand on Linux amd64]
Next by Date: Bug#248926: scp: add --continue, like wget
Previous by thread: Bug#242462: [bugzilla-daemon@mindrot.org: [Bug 867] configure fails to find res_query/dn_expand on Linux amd64]
Next by thread: Bug#248926: scp: add --continue, like wget
Index(es):
- Date
- Thread