Bug#315040: openssh-server: Problem with pam_setcred() call
Package: openssh-server
Version: 1:4.1p1-4
Severity: normal
I have a problem with login to this computer. I try:
# ssh -l nina 127.0.0.1
Password:
Read from remote host 127.0.0.1: Connection reset by peer
Connection to 127.0.0.1 closed.
# _
In ststem log I fonud:
Jun 20 12:16:22 linux sshd[26708]: (pam_unix) check pass; user unknown
Jun 20 12:16:22 linux sshd[26708]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
Jun 20 12:16:27 linux sshd[26710]: (pam_unix) check pass; user unknown
Jun 20 12:16:27 linux sshd[26708]: Accepted keyboard-interactive/pam for nina from 127.0.0.1 port 34716 ssh2
Jun 20 12:16:27 linux sshd[26712]: (pam_unix) session opened for user nina by (uid=0)
Jun 20 12:16:27 linux sshd[26712]: fatal: PAM: pam_setcred(): Permission denied
Jun 20 12:16:27 linux sshd[26712]: (pam_unix) session closed for user nina
My PAM configuration (supress comments):
[/etc/pam.d/ssh]
auth required pam_env.so # [1]
@include common-auth
@include common-account
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
# session required pam_selinux.so multiple
@include common-password
[/etc/pam.d/common-auth]
auth sufficient pam_unix.so nodelay likeauth shadow nullok
auth required pam_ldap.so try_first_pass
[/etc/pam.d/common-account]
account sufficient pam_unix.so
account required pam_ldap.so try_first_pass
[/etc/pam.d/common-session]
session optional pam_mkhomedir.so skel=/etc/skel umask=0022
session sufficient pam_unix.so
session required pam_ldap.so try_first_pass
[/etc/pam.d/common-password]
password required pam_unix.so md5 nullok obscure min=0 max=32
[/etc/pam_ldap.conf and /etc/libnss-ldap.conf]
base dc=sats,dc=spb,dc=ru
uri ldap://ldap.sats.lan/
ldap_version 3
rootbinddn cn=admin,dc=sats,dc=spb,dc=ru
But:
# telnet 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
[SSL - attempting to switch on SSL]
[SSL - handshake starting]
[SSL - OK]
Debian GNU/Linux testing/unstable south.mgmt.sats.lan
south login: nina
Password:
nina@south:~$ logout
Login is OK, in system log:
Jun 20 12:25:16 linux xinetd[26299]: START: telnet pid=26869 from=127.0.0.1
Jun 20 12:25:16 linux xinetd[26870]: warning: can't get client address: Transport endpoint is not connected
Jun 20 12:25:16 linux xinetd[26299]: START: ident pid=26870 from=<no address>
Jun 20 12:25:16 linux identd[26870]: started
Jun 20 12:25:16 linux xinetd[26869]: USERID: telnet UNIX :root
Jun 20 12:25:26 linux login[26877]: (pam_unix) check pass; user unknown
Jun 20 12:25:26 linux login[26877]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pts/303 ruser= rhost=localhost
Jun 20 12:25:26 linux login[26877]: (pam_unix) session opened for user nina by (uid=0)
Jun 20 12:25:28 linux login[26877]: (pam_unix) session closed for user nina
Configuration of PAM used by telnet:
[/etc/pam.d/login]
auth requisite pam_nologin.so
auth required pam_env.so
@include common-auth
@include common-account
@include common-session
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
@include common-password
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.7
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Versions of packages openssh-server depends on:
ii adduser 3.64 Add and remove users and groups
ii debconf [debconf-2.0] 1.4.51 Debian configuration management sy
ii dpkg 1.13.9 Package maintenance system for Deb
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libselinux1 1.22-1 SELinux shared libraries
ii libssl0.9.7 0.9.7g-1 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii openssh-client 1:4.1p1-4 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.2-4 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_rshd:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false
ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
Reply to: