This bug was introduced when updating from openssh-server-2.1.1p4-1 to openssh-server-2.3.0p1-4.i386.rpm. With 2.3.0p1, if /etc/ssh/sshd_config has "PermitEmptyPasswords yes", then a client logging in using a DSA key immediately has its session terminated. This did not happen with 2.1.1p4 Here's the output from "ssh -v localhost" with 2.3.0p1: $ ssh -v localhost SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /home/dpoon/.ssh/config debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to localhost [127.0.0.1] port 22. debug: Allocated local port 1022. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.3.0p1 debug: Seeding random number generator debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 zlib debug: kex: client->server 3des-cbc hmac-sha1 zlib debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 1027/2049 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Forcing accepting of host key for loopback/localhost. debug: bits set: 1041/2049 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: Enabling compression at level 6. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,keyboard-interactive,password debug: next auth method to try is publickey debug: trying DSA agent key /home/dpoon/.ssh/id_dsa debug: ssh-userauth2 successfull: method publickey debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: client_init id 0 arg 0 debug: Requesting X11 forwarding with authentication spoofing. debug: channel request 0: shell debug: channel 0: open confirm rwindow 0 rmax 16384 Connection to localhost closed by remote host. Connection to localhost closed. debug: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.1 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 1177.6 debug: Exit status -1 debug: compress outgoing: raw data 767, compressed 697, factor 0.91 debug: compress incoming: raw data 80, compressed 77, factor 0.96
Works for me (the server isn't RHL7 though). I'd debug sshd too. Does replacing /etc/pam.d/sshd with the earlier version help? (now, pam_stack + system-auth is used) E.g.: --- #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nodelay auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so ---
I can duplicate this with both 2.1.1p4 and 2.3.0p1, which is not good. I'll need to investigate further.
I think the 2.3.0p1-6 packages in http://people.redhat.com/nalin/test/ will fix this. If you can, please test them and let me know if they do.
Verified as fixed in Raw Hide.