Bug 69972 - PAM authentication error when running sshd as user
PAM authentication error when running sshd as user
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.3
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-07-27 02:42 EDT by Need Real Name
Modified: 2007-04-18 12:44 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-07 07:31:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2002-07-27 02:42:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020509

Description of problem:
When running sshd as a mortal user, authentication will fail whether using
password or public key to authenticate, and regardless of whether or not the
public key has been loaded into ssh-agent. There are some documented problems
with keyboard-interactive when shadow passwords are on, but public-key
authentication fails as well--and it shouldn't.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create a copy of sshd_config localized for the user's home directory.
2. Create DSA keys, and load the public key into user's authorized_keys file.
3. Add the public key to ssh-agent.
4. Run an unpriveleged copy of sshd:  /usr/sbin/sshd -dddp 8080 -h dsa_host_key
-f sshd_config
5. Attempt to connect: ssh -v -p 8080 localhost

	

Actual Results:  [server]
debug1: sshd version OpenSSH_3.1p1
debug3: Not a RSA1 key file dsa_host_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
Could not load host key: /home/tjacobs/.ssh/dsa_host_key
Disabling protocol version 1. Could not load host key
setgroups() failed: Operation not permitted
socket: Address family not supported by protocol
debug1: Bind to port 8080 on 0.0.0.0.
Server listening on 0.0.0.0 port 8080.
debug1: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 36005
debug1: Client protocol version 2.0; client software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 zlib
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
WARNING: /etc/ssh/moduli does not exist, using old modulus
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 138/256
debug1: bits set: 508/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 494/1024
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user tjacobs service ssh-connection method none
debug1: attempt 0 failures 0
debug3: Trying to reverse map address 127.0.0.1.
debug2: input_userauth_request: setting up authctxt for tjacobs
debug1: Starting up PAM with username "tjacobs"
debug1: PAM setting rhost to "gateway.codegnome.org"
debug2: input_userauth_request: try method none
Failed none for tjacobs from 127.0.0.1 port 36005 ssh2
debug1: userauth-request for user tjacobs service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 500/500 (e=500)
debug1: trying public key file /home/tjacobs/.ssh/authorized_keys
debug3: secure_filename: checking '/home/tjacobs/.ssh'
debug3: secure_filename: checking '/home/tjacobs'
debug3: secure_filename: terminating check at '/home/tjacobs'
debug1: matching key found: file /home/tjacobs/.ssh/authorized_keys, line 2
Found matching DSA key: 50:58:96:89:7a:ba:d0:c3:a0:07:20:0c:bf:70:e4:79
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Postponed publickey for tjacobs from 127.0.0.1 port 36005 ssh2
debug1: userauth-request for user tjacobs service ssh-connection method publickey
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method publickey
debug1: temporarily_use_uid: 500/500 (e=500)
debug1: trying public key file /home/tjacobs/.ssh/authorized_keys
debug3: secure_filename: checking '/home/tjacobs/.ssh'
debug3: secure_filename: checking '/home/tjacobs'
debug3: secure_filename: terminating check at '/home/tjacobs'
debug1: matching key found: file /home/tjacobs/.ssh/authorized_keys, line 2
Found matching DSA key: 50:58:96:89:7a:ba:d0:c3:a0:07:20:0c:bf:70:e4:79
debug1: restore_uid
debug1: ssh_dss_verify: signature correct
debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss
PAM rejected by account configuration[13]: User account has expired
Failed publickey for tjacobs from 127.0.0.1 port 36005 ssh2
debug1: userauth-request for user tjacobs service ssh-connection method
keyboard-interactive
debug1: attempt 3 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=tjacobs devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices 
Failed keyboard-interactive for tjacobs from 127.0.0.1 port 36005 ssh2
debug1: userauth-request for user tjacobs service ssh-connection method password
debug1: attempt 4 failures 3
debug2: input_userauth_request: try method password
Failed password for tjacobs from 127.0.0.1 port 36005 ssh2
debug1: userauth-request for user tjacobs service ssh-connection method password
debug1: attempt 5 failures 4
debug2: input_userauth_request: try method password
debug1: PAM Password authentication for "tjacobs" failed[7]: Authentication failure
Failed password for tjacobs from 127.0.0.1 port 36005 ssh2
debug1: userauth-request for user tjacobs service ssh-connection method password
debug1: attempt 6 failures 5
debug2: input_userauth_request: try method password
debug1: PAM Password authentication for "tjacobs" failed[7]: Authentication failure
Failed password for tjacobs from 127.0.0.1 port 36005 ssh2
Connection closed by 127.0.0.1
debug1: Calling cleanup 0x80526c0(0x0)
debug1: Calling cleanup 0x8067b80(0x0)
debug1: compress outgoing: raw data 737, compressed 546, factor 0.74
debug1: compress incoming: raw data 1312, compressed 646, factor 0.49

[client]
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /home/tjacobs/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 1
debug1: Connecting to localhost [127.0.0.1] port 8080.
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/tjacobs/.ssh/identity type -1
debug1: identity file /home/tjacobs/.ssh/id_rsa type -1
debug1: identity file /home/tjacobs/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 zlib
debug1: kex: client->server aes128-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1:expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 134/256
debug1: bits set: 494/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the DSA host key.
debug1: Found key in /home/tjacobs/.ssh/known_hosts:5
debug1: bits set: 508/1024
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key test
debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 0x808fb60 hint -1
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: try privkey: /home/tjacobs/.ssh/identity
debug1: try privkey: /home/tjacobs/.ssh/id_rsa
debug1: try privkey: /home/tjacobs/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is password
debug1: packet_send2: adding 32 (len 21 padlen 11 extra_pad 64)
debug1: authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
debug1: packet_send2: adding 48 (len 12 padlen 4 extra_pad 64)
debug1: authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
debug1: packet_send2: adding 32 (len 19 padlen 13 extra_pad 64)
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: no more auth methods to try
Permission denied (publickey,password,keyboard-interactive).
debug1: Calling cleanup 0x80634c0(0x0)
debug1: compress outgoing: raw data 1312, compressed 646, factor 0.49
debug1: compress incoming: raw data 737, compressed 546, factor 0.74


Expected Results:  The client should have been authenticated, and logged in.

Additional info:

When tested against a remote system, the following was encountered:

1. When logging into the sshd run by root, everything worked fine.
2. When logging into an unpriveledged sshd, the login failed with "PAM rejected
by account configuration[13]: User account has expired".
Comment 1 Darren Tucker 2004-07-01 01:39:34 EDT
FYI: This will work with current OpenSSH versions (3.7x and up) if you
disable PAM (ie "UsePAM no" in sshd_config).

It didn't work for your public-key auth because even for non-password
auths, the PAM account checks (ie pam_acct_mgmt and friends) were
still done and those require root.  It would have worked if there was
a way to disable PAM, but older versions of OpenSSH could only do that
at compile time.
Comment 2 Tomas Mraz 2005-02-07 07:31:12 EST
openssh-3.9p1 is in FC3

Note You need to log in before you can comment on or make changes to this bug.