Bug#315040: openssh-server: Problem with pam_setcred() call

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#315040: openssh-server: Problem with pam_setcred() call
From: Andrey Chernomyrdin <andrey@sats.spb.ru>
Date: Mon, 20 Jun 2005 12:31:34 +0400
Message-id: <[🔎] E1DkHgs-00070e-LD@south.mgmt.sats.lan>
Reply-to: Andrey Chernomyrdin <andrey@sats.spb.ru>, 315040@bugs.debian.org

Package: openssh-server
Version: 1:4.1p1-4
Severity: normal


I have a problem with login to this computer. I try:
# ssh -l nina 127.0.0.1
Password: 
Read from remote host 127.0.0.1: Connection reset by peer
Connection to 127.0.0.1 closed.
# _
In ststem log I fonud:
Jun 20 12:16:22 linux sshd[26708]: (pam_unix) check pass; user unknown
Jun 20 12:16:22 linux sshd[26708]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 
Jun 20 12:16:27 linux sshd[26710]: (pam_unix) check pass; user unknown
Jun 20 12:16:27 linux sshd[26708]: Accepted keyboard-interactive/pam for nina from 127.0.0.1 port 34716 ssh2
Jun 20 12:16:27 linux sshd[26712]: (pam_unix) session opened for user nina by (uid=0)
Jun 20 12:16:27 linux sshd[26712]: fatal: PAM: pam_setcred(): Permission denied
Jun 20 12:16:27 linux sshd[26712]: (pam_unix) session closed for user nina

My PAM configuration (supress comments):
[/etc/pam.d/ssh]
auth       required     pam_env.so # [1]
@include common-auth
@include common-account
@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
# session  required     pam_selinux.so multiple
@include common-password

[/etc/pam.d/common-auth]
auth	sufficient	pam_unix.so nodelay likeauth shadow nullok
auth	required	pam_ldap.so try_first_pass

[/etc/pam.d/common-account]
account	sufficient	pam_unix.so
account	required	pam_ldap.so try_first_pass

[/etc/pam.d/common-session]
session optional	pam_mkhomedir.so skel=/etc/skel umask=0022
session	sufficient	pam_unix.so
session	required	pam_ldap.so try_first_pass

[/etc/pam.d/common-password]
password	required	pam_unix.so md5 nullok obscure min=0 max=32

[/etc/pam_ldap.conf and /etc/libnss-ldap.conf]
base dc=sats,dc=spb,dc=ru
uri ldap://ldap.sats.lan/
ldap_version 3
rootbinddn cn=admin,dc=sats,dc=spb,dc=ru

But:
# telnet 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
[SSL - attempting to switch on SSL]
[SSL - handshake starting]
[SSL - OK]
Debian GNU/Linux testing/unstable south.mgmt.sats.lan
south login: nina
Password: 
nina@south:~$ logout

Login is OK, in system log:
Jun 20 12:25:16 linux xinetd[26299]: START: telnet pid=26869 from=127.0.0.1
Jun 20 12:25:16 linux xinetd[26870]: warning: can't get client address: Transport endpoint is not connected
Jun 20 12:25:16 linux xinetd[26299]: START: ident pid=26870 from=<no address>
Jun 20 12:25:16 linux identd[26870]: started
Jun 20 12:25:16 linux xinetd[26869]: USERID: telnet UNIX :root
Jun 20 12:25:26 linux login[26877]: (pam_unix) check pass; user unknown
Jun 20 12:25:26 linux login[26877]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pts/303 ruser= rhost=localhost 
Jun 20 12:25:26 linux login[26877]: (pam_unix) session opened for user nina by (uid=0)
Jun 20 12:25:28 linux login[26877]: (pam_unix) session closed for user nina

Configuration of PAM used by telnet:
[/etc/pam.d/login]
auth       requisite  pam_nologin.so
auth       required   pam_env.so
@include common-auth
@include common-account
@include common-session
session    required   pam_limits.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv
@include common-password


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.7
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages openssh-server depends on:
ii  adduser                     3.64         Add and remove users and groups
ii  debconf [debconf-2.0]       1.4.51       Debian configuration management sy
ii  dpkg                        1.13.9       Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  libselinux1                 1.22-1       SELinux shared libraries
ii  libssl0.9.7                 0.9.7g-1     SSL shared libraries
ii  libwrap0                    7.6.dbs-8    Wietse Venema's TCP wrappers libra
ii  openssh-client              1:4.1p1-4    Secure shell client, an rlogin/rsh
ii  zlib1g                      1:1.2.2-4    compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
  ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:

Reply to:

Prev by Date: Bug#314645: /usr/sbin/sshd: time delay of password check proves account existence to attackers
Next by Date: Bug#314289: Bug #314289 - ssh: unable to login after upgrade to 4.1p1-3
Previous by thread: Bug#314956: Excess permission or bad ownership on file /var/log/btmp
Next by thread: Bug#314645: ssh password mappings result
Index(es):
- Date
- Thread