[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !



Hi Steve,all

Just informing if some one might discovered what could be wrong ...

Thanks..


> "light storm" <lightstorm@antionline.org> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com
>Date: Mon, 6 May 2002 11:15:19 -0700
>
>Hello Steve,
>
>Indeed, i forgot to see/remember that i use su and login with pam authentication, as i can see in the log when i su to root i see a rule saying pam authentication was successfull, i can check later exactly the msg but it was positive and it works, so do the md5 encrypted passwords in the shadow file with login (pam) etc...
>
>If pam seems to work with those ... then the question is why does ssh give trouble ? in the logs/debug info things seem to be fine imho ... 
>except the permission denied and 'pam authentication failed' msg's..
>
>I also tried to remove the 'shadow' from the two lines but still same problem. There is one thing i don't know exactly what it means, i saw it in one of the logs "socket address family protocol not supported" ... is that normal or does it have to do with the problem ?
>
>Hope we are now isolating the problem area...
>
>Thanks...
>
>
>
>
>
>
>> Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com
>>Date: Mon, 6 May 2002 13:22:56 -0500
>>
>>On Mon, May 06, 2002 at 09:33:32AM -0700, light storm wrote:
>>> About the first possibility .. is there a way to check if the pam
>>> module 'pam_unix.so' supports (freebsd) md5 encryption ?
>>
>>Sure... by giving a user a password that's been encrypted this way, and
>>testing to see if you can still use pam_unix to authenticate that user
>>to a simple PAM-enabled service.  OpenSSH probably doesn't count as a
>>'simple PAM-enabled service', though login probably does.
>>
>>> Second possibility .. after changing the pass of testuser (md5) and of
>>> another user and tried just a plain login from the console it works,
>>> login uses pam authentication ...
>>
>>This is with pam_unix in your /etc/pam.d/login, and with a freebsd md5
>>password for the user that you're logging in as?
>>
>>I think the key still lies in seeing what pam_unix is sending to syslog
>>when the logins are failing.
>>
>>Steve Langasek
>>postmodern programmer
>>
>>
>>> > Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com
>>> >Date: Mon, 6 May 2002 11:26:05 -0500
>>> >
>>> >On Mon, May 06, 2002 at 08:52:41AM -0700, light storm wrote:
>>> >> Hello Steve,all
>>> >
>>> >> I added the debug option the password rule and the auth rule in the
>>> >> sshd pam file, but as far as i can see nothing was sent to the logs, i
>>> >> mean messages and warn logs, unless i should check some other log
>>> >> which i cannot see at the moment ??
>>> >
>>> >You would need to check your /etc/syslog.conf to see where -- if
>>> >anywhere -- auth.* messages are currently being sent.  On my machine,
>>> >that's /var/log/auth and /var/log/debug.
>>> >
>>> >> But i think i found the problem but if it is real then i still don't
>>> >> know what i can do:
>>> >
>>> >> I changed the password of the user 'testuser' with some other tool
>>> >> which doesn't create md5 passwords. 
>>> >
>>> >> Then i tried again ssh and now i can login, but 2 things i conclude
>>> >> now:  1. ssh lets me , i only need the first 8 chars to enter
>>> >>       2. it seems that when it's md5 encrypted then authentication
>>> >>          fails.
>>> >
>>> >If using traditional crypt passwords, only the first 8 characters of the
>>> >password are encrypted.
>>> >
>>> >> debug1: PAM Password authentication accepted for user "testuser"
>>> >> Accepted password for testuser from 192.168.200.30 port 33030 ssh2
>>> >> debug1: Entering interactive session for SSH2.
>>> >
>>> >A couple possibilities I can think of:
>>> >
>>> >The pam_unix module you're using doesn't support md5 passwords.
>>> >
>>> >The password you had for testuser was not a valid md5 hash, causing
>>> >authentication to fail.
>>> >
>>> >The testuser account was expired, and PAM was requiring a password
>>> >change, but the password change was failing.
>>> >
>>> >To rule out the third possibility, I suggest setting a new md5 password
>>> >for testuser and trying to ssh in again.
>>> >
>>> >Steve Langasek
>>> >postmodern programmer
>>> >-----BEGIN PGP SIGNATURE-----
>>> >Version: GnuPG v1.0.6 (GNU/Linux)
>>> >Comment: For info see http://www.gnupg.org
>>> >
>>> >iD8DBQE81q6cKN6ufymYLloRAm5tAJsEXWRQqvwkHLLgvVovArcZYdPfOgCfZlOp
>>> >4yPKUt6SYku4bG02nfJWwho=
>>> >=AZN/
>>> >-----END PGP SIGNATURE-----
>>> 
>>> 
>>> ------------------------------------------------------------
>>> Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
>>> AntiOnline - The Internet's Information Security Super Center!
>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> Express yourself with a super cool email address from BigMailBox.com.
>>> Hundreds of choices. It's free!
>>> http://www.bigmailbox.com
>>> ---------------------------------------------------------------------
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list@redhat.com
>>> https://listman.redhat.com/mailman/listinfo/pam-list
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.0.6 (GNU/Linux)
>>Comment: For info see http://www.gnupg.org
>>
>>iD8DBQE81sn/KN6ufymYLloRAg6DAJ44bntWMDJ59pcft9ZaWPVNQcjgjgCdEvBS
>>7EPQuWU9IdPfaQb5Xv+7YjU=
>>=YQo5
>>-----END PGP SIGNATURE-----
>
>
>------------------------------------------------------------
>Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
>AntiOnline - The Internet's Information Security Super Center!
>
>
>---------------------------------------------------------------------
>Express yourself with a super cool email address from BigMailBox.com.
>Hundreds of choices. It's free!
>http://www.bigmailbox.com
>---------------------------------------------------------------------
>
>
>
>_______________________________________________
>Pam-list mailing list
>Pam-list@redhat.com
>https://listman.redhat.com/mailman/listinfo/pam-list




------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []