[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !



On Mon, May 06, 2002 at 09:33:32AM -0700, light storm wrote:
> About the first possibility .. is there a way to check if the pam
> module 'pam_unix.so' supports (freebsd) md5 encryption ?

Sure... by giving a user a password that's been encrypted this way, and
testing to see if you can still use pam_unix to authenticate that user
to a simple PAM-enabled service.  OpenSSH probably doesn't count as a
'simple PAM-enabled service', though login probably does.

> Second possibility .. after changing the pass of testuser (md5) and of
> another user and tried just a plain login from the console it works,
> login uses pam authentication ...

This is with pam_unix in your /etc/pam.d/login, and with a freebsd md5
password for the user that you're logging in as?

I think the key still lies in seeing what pam_unix is sending to syslog
when the logins are failing.

Steve Langasek
postmodern programmer


> > Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com
> >Date: Mon, 6 May 2002 11:26:05 -0500
> >
> >On Mon, May 06, 2002 at 08:52:41AM -0700, light storm wrote:
> >> Hello Steve,all
> >
> >> I added the debug option the password rule and the auth rule in the
> >> sshd pam file, but as far as i can see nothing was sent to the logs, i
> >> mean messages and warn logs, unless i should check some other log
> >> which i cannot see at the moment ??
> >
> >You would need to check your /etc/syslog.conf to see where -- if
> >anywhere -- auth.* messages are currently being sent.  On my machine,
> >that's /var/log/auth and /var/log/debug.
> >
> >> But i think i found the problem but if it is real then i still don't
> >> know what i can do:
> >
> >> I changed the password of the user 'testuser' with some other tool
> >> which doesn't create md5 passwords. 
> >
> >> Then i tried again ssh and now i can login, but 2 things i conclude
> >> now:  1. ssh lets me , i only need the first 8 chars to enter
> >>       2. it seems that when it's md5 encrypted then authentication
> >>          fails.
> >
> >If using traditional crypt passwords, only the first 8 characters of the
> >password are encrypted.
> >
> >> debug1: PAM Password authentication accepted for user "testuser"
> >> Accepted password for testuser from 192.168.200.30 port 33030 ssh2
> >> debug1: Entering interactive session for SSH2.
> >
> >A couple possibilities I can think of:
> >
> >The pam_unix module you're using doesn't support md5 passwords.
> >
> >The password you had for testuser was not a valid md5 hash, causing
> >authentication to fail.
> >
> >The testuser account was expired, and PAM was requiring a password
> >change, but the password change was failing.
> >
> >To rule out the third possibility, I suggest setting a new md5 password
> >for testuser and trying to ssh in again.
> >
> >Steve Langasek
> >postmodern programmer
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.0.6 (GNU/Linux)
> >Comment: For info see http://www.gnupg.org
> >
> >iD8DBQE81q6cKN6ufymYLloRAm5tAJsEXWRQqvwkHLLgvVovArcZYdPfOgCfZlOp
> >4yPKUt6SYku4bG02nfJWwho=
> >=AZN/
> >-----END PGP SIGNATURE-----
> 
> 
> ------------------------------------------------------------
> Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
> AntiOnline - The Internet's Information Security Super Center!
> 
> 
> ---------------------------------------------------------------------
> Express yourself with a super cool email address from BigMailBox.com.
> Hundreds of choices. It's free!
> http://www.bigmailbox.com
> ---------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list

Attachment: pgp00004.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []