[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !



Hello Steve,

First of all thanks for anytime you put in my problem, really appreciate all the help cause i just don't see it :(

I'll paste here the additional information which might help solve this:

(note: openssh was compiled with pam support and md5 support)


sshd pam file for openssh in /etc/pam.d/

#%PAM-1.0
auth     required       /lib/security/pam_unix.so       # set_secrpc
auth     required       /lib/security/pam_nologin.so
auth     required       /lib/security/pam_env.so
account  required       /lib/security/pam_unix.so
password required       /lib/security/pam_pwcheck.so    md5
password required       /lib/security/pam_unix.so       md5
use_first_pass use_authtok
session  required       /lib/security/pam_unix.so       none # trace or
debug
session  required       /lib/security/pam_limits.so  

sshd_config file:


# for more information.
 
# This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
 
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.
 
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
 
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
 
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
ServerKeyBits 1024
 
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
 
# Authentication:
 
#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes
 
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
 
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no  
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
 
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
 
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
 
# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
 
# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes
 
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
 
# Set this to 'yes' to enable PAM keyboard-interactive authentication  
# Warning: enabling this may bypass the setting of
'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
 
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
 
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
 
# override default of no subsystems
Subsystem       sftp    /opt/libexec/sftp-server    


||||||||||||||

on server with sshd -d -d -d :

debug1: sshd version OpenSSH_3.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Forcing server key to 1152 bits to make it differ from host key.
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 1152 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.100.100 port 34864
debug1: Client protocol version 2.0; client software version
OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9
debug1: match: OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 zlib
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 130/256
debug1: bits set: 1561/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1593/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user testuser service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for testuser
debug1: Starting up PAM with username "testuser"
debug3: Trying to reverse map address 192.168.100.100.
debug1: PAM setting rhost to "cper.tter.org"
debug2: input_userauth_request: try method none
Failed none for testuser from 192.168.100.100 port 34864 ssh2
debug1: userauth-request for user testuser service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=testuser devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for testuser from 192.168.100.100 port 34864
ssh2
debug1: userauth-request for user testuser service ssh-connection method
password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
debug1: PAM Password authentication for "testuser" failed[7]:
Authentication failure
Failed password for testuser from 192.168.100.100 port 34864 ssh2
debug1: userauth-request for user testuser service ssh-connection method password
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method password
debug1: PAM Password authentication for "testuser" failed[7]:
Authentication failure
Failed password for testuser from 192.168.100.100 port 34864 ssh2
debug1: userauth-request for user testuser service ssh-connection method
password
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method password
debug1: PAM Password authentication for "testuser" failed[7]:
Authentication failure
Failed password for testuser from 192.168.100.100 port 34864 ssh2
Connection closed by 192.168.100.100
debug1: Calling cleanup 0x80524a0(0x0)
debug1: Calling cleanup 0x8068e10(0x0)
debug1: compress outgoing: raw data 242, compressed 85, factor 0.35
debug1: compress incoming: raw data 293, compressed 146, factor 0.50   

|||||||||||||||


from remote system with ssh -C -v -v -v :

OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9, SSH protocols 1.5/2.0, OpenSSL
0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1027 geteuid 1027 anon 1
debug1: Connecting to 192.168.200.200 [192.168.200.200] port 22.
debug1: temporarily_use_uid: 1027/1027 (e=1027)
debug1: restore_uid
debug1: temporarily_use_uid: 1027/1027 (e=1027)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/testuser/.ssh/identity type -1
debug1: identity file /home/testuser/.ssh/id_rsa type -1
debug1: identity file /home/testuser/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 zlib
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 135/256
debug1: bits set: 1593/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/testuser/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
The authenticity of host '192.168.200.200 (192.168.200.200)' can't be
established.
RSA key fingerprint is 27:19:b8:ba:69:e7:91:9a:b3:00:09:c4:a8:f6:be:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.200.200' (RSA) to the list of known
hosts.
debug1: bits set: 1561/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /home/testuser/.ssh/identity
debug3: no such identity: /home/testuser/.ssh/identity
debug1: try privkey: /home/testuser/.ssh/id_rsa
debug3: no such identity: /home/testuser/.ssh/id_rsa
debug1: try privkey: /home/testuser/.ssh/id_dsa
debug3: no such identity: /home/testuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
testuser@192.168.200.200's password:
debug1: packet_send2: adding 16 (len 43 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: authentications that can continue:
publickey,password,keyboard-interactive
Permission denied, please try again.
testuser@192.168.200.200's password:
debug1: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: authentications that can continue:
publickey,password,keyboard-interactive
Permission denied, please try again.
testuser@192.168.200.200's password:
debug1: packet_send2: adding 32 (len 19 padlen 13 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: no more auth methods to try
Permission denied (publickey,password,keyboard-interactive).
debug1: Calling cleanup 0x80633cc(0x0)
debug1: compress outgoing: raw data 293, compressed 146, factor 0.50
debug1: compress incoming: raw data 242, compressed 85, factor 0.35



extra information passwd (pam file):

#%PAM-1.0
auth     required       /lib/security/pam_unix.so       nullok
account  required       /lib/security/pam_unix.so
password required       /lib/security/pam_pwcheck.so    nullok md5
password required       /lib/security/pam_unix.so       nullok md5
use_first_pass use_authtok
session  required      
/lib/security/pam_unix.so                                                  


other extra information:

ldd /opt/sbin/sshd
        libpam.so.0 => /lib/libpam.so.0 (0x4002a000)
        libdl.so.2 => /lib/libdl.so.2 (0x40032000)
        libutil.so.1 => /lib/libutil.so.1 (0x40035000)
        libz.so.1 => /lib/libz.so.1 (0x40038000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40047000)
        libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005d000)
        libc.so.6 => /lib/libc.so.6 (0x4011e000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)     

ldd /usr/bin/passwd
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002a000)
        libcrack.so.2 => /usr/lib/libcrack.so.2 (0x40058000)
        libpam.so.0 => /lib/libpam.so.0 (0x40064000)
        libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x4006c000)
        libdl.so.2 => /lib/libdl.so.2 (0x4006f000)
        libc.so.6 => /lib/libc.so.6 (0x40072000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)





> Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com
>Date: Fri, 3 May 2002 11:28:33 -0500
>
>On Fri, May 03, 2002 at 02:12:51AM -0700, light storm wrote:
>> This is the first time i really needed to seek the help of some one
>> who has alot more expertise on this subject since i have almost no
>> hair left on my head which i didn't pull out ;-) 
>
>> I have installed: openssh 3.1 , openssl 0.9.6a and i use PAM , most
>> things work perfect, till i wanted to use pam for ssh, i enable also
>> pam support for openssh, also enable md5 passwords support for openssh
>> , added the correct information to the pam file (/etc/pam.d/sshd) like
>> 'md5' , but when i try to login from various servers to that server
>> then shortly said i get "PAM authentication failed, permission denied
>> ... " . that is the problem hehe
>
>> Paste:
>
>> Failed password for testuser from 192.168.150.52 port 34440 ssh2 
>> debug1: userauth-request for user testuser service ssh-connection method 
>> password 
>> debug1: attempt 3 failures 3 
>> debug2: input_userauth_request: try method password 
>> debug1: PAM Password authentication for "testuser" failed[7]: 
>> Authentication failure 
>> ...     
>
>> my sshd_config, ssh_config are all correctly configured, beside the
>> above passwd/login are also using PAM, no problem
>
>> i did a test, i created with another tool a password for testuser, not
>> md5, all of a sudden ssh worked (!??) , but when i change the pass
>> with passwd (it then gets to be a md5) ssh refuses :((( ..
>
>> IMHO something goes wrong when the md5 password is read by PAM and
>> that causes openssh to say permission denied ... but guys, what in
>> godsname goes wrong or what did i do wrong ? 
>
>
>> PS: the generic pam sshd file is what i use, added the md5 to it.
>
>Please post the full contents of the exact PAM configuration you're
>using for sshd.  There are many different 'default' configurations in
>existence, and it's impossible to diagnose this error without knowing
>what your particular configuration looks like.
>
>Steve Langasek
>postmodern programmer
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE80rqtKN6ufymYLloRAo+ZAJ4508T5jj7vTWmLfkpd6Lw+CQQ/IACfZWea
>522dURA5d4g8Gk6pKaCRJP4=
>=cNlF
>-----END PGP SIGNATURE-----


------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!


---------------------------------------------------------------------
Express yourself with a super cool email address from BigMailBox.com.
Hundreds of choices. It's free!
http://www.bigmailbox.com
---------------------------------------------------------------------





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []