Bug#305298: marked as done (ssh-krb5: password authentication does not use pam)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 28 Dec 2006 11:59:17 -0800
with message-id <87ac17zt9m.fsf@windlord.stanford.edu>
and subject line Fixed in current openssh
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ssh-krb5: password authentication does not use pam
• From: Chaskiel Grundman <cg2v@andrew.cmu.edu>
• Date: Tue, 19 Apr 2005 00:00:07 -0400
• Message-id: <200504190400.j3J407DW014878@lily.dementia.org>

Package: ssh-krb5
Version: 3.8.1p1-7
Severity: normal

README.Debian still states
"Unfortunately, privilege separation interacts badly with PAM. [...]
and PAM keyboard-interactive authentication won't work."

but that doesn't seem to be true at all. keyboard-interactive
authentication _is_ enabled, and does work with privsep.

Moreover, if an ssh client that does not perform keyboard-interactive
authentication connects to the server, pam is not used for password
validation. 

Even if this is considered appropriate behavior, I would think that it would
merit a mention in NEWS. I will even suggest that not supporting
PasswordAuthentication at all would be better than the current behavior.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: sparc (sparc64)
Kernel: Linux 2.4.27-2-sparc64
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ssh-krb5 depends on:
ii  adduser                     3.63         Add and remove users and groups
ii  debconf                     1.4.30.13    Debian configuration management sy
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libcomerr2                  1.35-6       The Common Error Description libra
ii  libkrb53                    1.3.6-2      MIT Kerberos runtime libraries
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  libwrap0                    7.6.dbs-8    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.2-3    compression library - runtime

-- debconf information:
* ssh/privsep_tell:
  ssh/insecure_rshd:
  ssh/privsep_ask: true
  ssh/ssh2_keys_merged:
* ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: false
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: false

--- End Message ---

--- Begin Message ---

• To: 305298-done@bugs.debian.org
• Subject: Fixed in current openssh
• From: Russ Allbery <rra@debian.org>
• Date: Thu, 28 Dec 2006 11:59:17 -0800
• Message-id: <87ac17zt9m.fsf@windlord.stanford.edu>

The bug causing OpenSSH to not use PAM for password authentication has
been fixed in current OpenSSH packages and ssh-krb5 is now a transitional
package that installs the regular OpenSSH packages.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

--- End Message ---