Bug#242119: What seems to be going on with sshd
severity 242119 important
thanks
Hello,
I've spent two hours trying to find out why ssh 3.8 breaks logins to our
terminal that use ldap auth. This is what I found.
In ssh 3.6, "password" auth method used PAM.
In ssh 3.8, "password" auth method does not use PAM, regardless of "UsePAM"
setting. "man sshd_config" states the following about "UsePAM":
UsePAM Enables PAM authentication (via challenge-response) and session
set up. If you enable this, you should probably disable
PasswordAuthentication.
UsaPAM affects another auth method, namely "keyboard-interactive"
When logging using openssh client, after "password" method fails for LDAP
user, "keyboard-interactive" method is also tried, and succeeds.
This is logged:
May 13 14:08:33 pride sshd[9502]: debug1: Client protocol version 2.0;
client software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-12
May 13 14:08:33 pride sshd[9502]: debug1: match: OpenSSH_3.6.1p2 Debian
1:3.6.1p2-12 pat OpenSSH*
May 13 14:08:33 pride sshd[9502]: debug1: Enabling compatibility mode for
protocol 2.0
May 13 14:08:33 pride sshd[9502]: debug1: Local version string
SSH-1.99-OpenSSH_3.8p1 Debian 1:3.8p1-3
May 13 14:08:33 pride sshd[9502]: debug1: PAM: initializing for "test"
May 13 14:08:33 pride sshd[9502]: debug1: PAM: setting PAM_RHOST to
"zigzag.lvk.cs.msu.su"
May 13 14:08:33 pride sshd[9502]: debug1: PAM: setting PAM_TTY to "ssh"
May 13 14:08:33 pride sshd[9502]: Failed none for test from 158.250.17.23
port 43327 ssh2
At this point, "password" auth failed, and other methods are being tried.
May 13 14:08:33 pride sshd[9502]: debug1: temporarily_use_uid: 3801/100
(e=0/0)
May 13 14:08:33 pride sshd[9502]: debug1: trying public key
file /home/test/.ssh/authorized_keys
May 13 14:08:33 pride sshd[9502]: debug1: restore_uid: 0/0
May 13 14:08:33 pride sshd[9502]: debug1: temporarily_use_uid: 3801/100
(e=0/0)
May 13 14:08:33 pride sshd[9502]: debug1: trying public key
file /home/test/.ssh/authorized_keys2
May 13 14:08:33 pride sshd[9502]: debug1: restore_uid: 0/0
May 13 14:08:35 pride sshd[9504]: (pam_unix) check pass; user unknown
May 13 14:08:35 pride sshd[9504]: (pam_unix) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=zigzag.lvk.c
s.msu.su
May 13 14:08:35 pride sshd[9502]: debug1: PAM: num PAM env strings 0
May 13 14:08:35 pride sshd[9502]: Accepted keyboard-interactive/pam for
test from 158.250.17.23 port 43327 ssh2
At this point, "keyboard-interactive" method succeeds.
However, other ssh clients don't know anything about "keyboard-interactive"
method. E.g. when trying to ssh from a Solaris box with ssh2, "password"
method failes and login is disallowed.
Similar problems happens with different ssh clients running under Windows.
So the breaking change is that PAM is no longer used for "password" auth.
This really breaks networks where different operating systems are used.
That's why I am upgrading this bug's severity to "important".
Reply to: