[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !



(btw, it's freebsd md5 in the shadow file, i assume pam recognizes that ?)



> "light storm" <lightstorm@antionline.org> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com
>Date: Mon, 6 May 2002 08:52:41 -0700
>
>Hello Steve,all
>
>I added the debug option the password rule and the auth rule in the sshd pam file, but as far as i can see nothing was sent to the logs, i mean messages and warn logs, unless i should check some other log which i cannot see at the moment ??
>
>But i think i found the problem but if it is real then i still don't know what i can do:
>
>I changed the password of the user 'testuser' with some other tool which doesn't create md5 passwords. 
>
>Then i tried again ssh and now i can login, but 2 things i conclude now:  1. ssh lets me , i only need the first 8 chars to enter
>      2. it seems that when it's md5 encrypted then authentication
>         fails.
>
>these are logs of what i just did to get in:
>
>[from the ssh remote side]
>
>debug1: PAM establishing creds
>
>Environment:
>  USER=testuser
>  LOGNAME=testuser
>  HOME=/home/testuser
>  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
>  MAIL=/var/mail/testuser
>  SHELL=/bin/bash
>  SSH_CLIENT= 192.168.200.30 33029 22
>  SSH_TTY=/dev/pts/7
>  TERM=kvt
>debug3: channel_close_fds: channel 0: r -1 w -1 e -1
>testuser@sp32a:~ >
>
>[this is what sshd -d -d -d shows]
>debug1: PAM Password authentication accepted for user "testuser"
>Accepted password for testuser from 192.168.200.30 port 33030 ssh2
>debug1: Entering interactive session for SSH2.
>debug1: fd 3 setting O_NONBLOCK
>debug1: fd 7 setting O_NONBLOCK
>debug1: server_init_dispatch_20
>debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
>debug1: input_session_request
>debug1: channel 0: new [server-session]
>debug1: session_new: init
>debug1: session_new: session 0
>debug1: session_open: channel 0
>debug1: session_open: session 0: link with channel 0
>debug1: server_input_channel_open: confirm session
>debug1: server_input_channel_req: channel 0 request pty-req reply 0
>debug1: session_by_channel: session 0 channel 0
>debug1: session_input_channel_req: session 0 req pty-req
>debug1: Allocating pty.
>
>
>Well, i hope we made some progress to a solution, please let me know if you need more information.
>
>Thanks !
>
>
>
>
>
>
>
>
>> Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com
>>Date: Mon, 6 May 2002 09:29:48 -0500
>>
>>On Fri, May 03, 2002 at 11:10:01AM -0700, light storm wrote:
>>
>>> First of all thanks for anytime you put in my problem, really
>>> appreciate all the help cause i just don't see it :(
>>
>>> I'll paste here the additional information which might help solve this:
>>
>>> (note: openssh was compiled with pam support and md5 support)
>>
>>> sshd pam file for openssh in /etc/pam.d/
>>
>>Have you checked your log files for anything that might tell you which
>>PAM module is failing and why?  pam_unix, at least, logs a fair amount
>>of information to the syslog 'auth' facility, and more information is 
>>available if you add the 'debug' flag to the module arguments
>>
>>  auth     required     /lib/security/pam_unix.so debug
>>
>>Your openssh debug output indicates that PAM is being invoked, and your 
>>PAM config file looks reasonable from what I can tell; so looking at 
>>logs would be the next step.
>>
>>> #%PAM-1.0
>>> auth     required       /lib/security/pam_unix.so       # set_secrpc
>>> auth     required       /lib/security/pam_nologin.so
>>> auth     required       /lib/security/pam_env.so
>>> account  required       /lib/security/pam_unix.so
>>
>>> password required       /lib/security/pam_pwcheck.so    md5
>>
>>BTW, does pam_pwcheck.so really support this 'md5' argument?  As a quick
>>experiment, you might try removing it to see if that changes openssh's
>>behavior -- though the effect on the authentication process of a
>>misconfigured password module should really be minimal.
>>
>>Steve Langasek
>>postmodern programmer
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.0.6 (GNU/Linux)
>>Comment: For info see http://www.gnupg.org
>>
>>iD8DBQE81pNcKN6ufymYLloRAsbRAJ9lz57C+OSK/Ce+6SKAA3cvM/1W4gCgqGwe
>>x0lGxmAyDge9lu2Hk30PpGE=
>>=N6WS
>>-----END PGP SIGNATURE-----
>
>
>------------------------------------------------------------
>Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
>AntiOnline - The Internet's Information Security Super Center!
>
>
>---------------------------------------------------------------------
>Express yourself with a super cool email address from BigMailBox.com.
>Hundreds of choices. It's free!
>http://www.bigmailbox.com
>---------------------------------------------------------------------
>
>
>
>_______________________________________________
>Pam-list mailing list
>Pam-list@redhat.com
>https://listman.redhat.com/mailman/listinfo/pam-list




------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!


---------------------------------------------------------------------
Express yourself with a super cool email address from BigMailBox.com.
Hundreds of choices. It's free!
http://www.bigmailbox.com
---------------------------------------------------------------------





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []