Red Hat Bugzilla – Bug 69972
PAM authentication error when running sshd as user
Last modified: 2007-04-18 12:44:44 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020509 Description of problem: When running sshd as a mortal user, authentication will fail whether using password or public key to authenticate, and regardless of whether or not the public key has been loaded into ssh-agent. There are some documented problems with keyboard-interactive when shadow passwords are on, but public-key authentication fails as well--and it shouldn't. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create a copy of sshd_config localized for the user's home directory. 2. Create DSA keys, and load the public key into user's authorized_keys file. 3. Add the public key to ssh-agent. 4. Run an unpriveleged copy of sshd: /usr/sbin/sshd -dddp 8080 -h dsa_host_key -f sshd_config 5. Attempt to connect: ssh -v -p 8080 localhost Actual Results: [server] debug1: sshd version OpenSSH_3.1p1 debug3: Not a RSA1 key file dsa_host_key. debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA Could not load host key: /home/tjacobs/.ssh/dsa_host_key Disabling protocol version 1. Could not load host key setgroups() failed: Operation not permitted socket: Address family not supported by protocol debug1: Bind to port 8080 on 0.0.0.0. Server listening on 0.0.0.0 port 8080. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 36005 debug1: Client protocol version 2.0; client software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.1p1 debug1: list_hostkey_types: ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: zlib debug2: kex_parse_kexinit: zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 zlib debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received WARNING: /etc/ssh/moduli does not exist, using old modulus debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 138/256 debug1: bits set: 508/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 494/1024 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user tjacobs service ssh-connection method none debug1: attempt 0 failures 0 debug3: Trying to reverse map address 127.0.0.1. debug2: input_userauth_request: setting up authctxt for tjacobs debug1: Starting up PAM with username "tjacobs" debug1: PAM setting rhost to "gateway.codegnome.org" debug2: input_userauth_request: try method none Failed none for tjacobs from 127.0.0.1 port 36005 ssh2 debug1: userauth-request for user tjacobs service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 500/500 (e=500) debug1: trying public key file /home/tjacobs/.ssh/authorized_keys debug3: secure_filename: checking '/home/tjacobs/.ssh' debug3: secure_filename: checking '/home/tjacobs' debug3: secure_filename: terminating check at '/home/tjacobs' debug1: matching key found: file /home/tjacobs/.ssh/authorized_keys, line 2 Found matching DSA key: 50:58:96:89:7a:ba:d0:c3:a0:07:20:0c:bf:70:e4:79 debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Postponed publickey for tjacobs from 127.0.0.1 port 36005 ssh2 debug1: userauth-request for user tjacobs service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 500/500 (e=500) debug1: trying public key file /home/tjacobs/.ssh/authorized_keys debug3: secure_filename: checking '/home/tjacobs/.ssh' debug3: secure_filename: checking '/home/tjacobs' debug3: secure_filename: terminating check at '/home/tjacobs' debug1: matching key found: file /home/tjacobs/.ssh/authorized_keys, line 2 Found matching DSA key: 50:58:96:89:7a:ba:d0:c3:a0:07:20:0c:bf:70:e4:79 debug1: restore_uid debug1: ssh_dss_verify: signature correct debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss PAM rejected by account configuration[13]: User account has expired Failed publickey for tjacobs from 127.0.0.1 port 36005 ssh2 debug1: userauth-request for user tjacobs service ssh-connection method keyboard-interactive debug1: attempt 3 failures 2 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=tjacobs devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for tjacobs from 127.0.0.1 port 36005 ssh2 debug1: userauth-request for user tjacobs service ssh-connection method password debug1: attempt 4 failures 3 debug2: input_userauth_request: try method password Failed password for tjacobs from 127.0.0.1 port 36005 ssh2 debug1: userauth-request for user tjacobs service ssh-connection method password debug1: attempt 5 failures 4 debug2: input_userauth_request: try method password debug1: PAM Password authentication for "tjacobs" failed[7]: Authentication failure Failed password for tjacobs from 127.0.0.1 port 36005 ssh2 debug1: userauth-request for user tjacobs service ssh-connection method password debug1: attempt 6 failures 5 debug2: input_userauth_request: try method password debug1: PAM Password authentication for "tjacobs" failed[7]: Authentication failure Failed password for tjacobs from 127.0.0.1 port 36005 ssh2 Connection closed by 127.0.0.1 debug1: Calling cleanup 0x80526c0(0x0) debug1: Calling cleanup 0x8067b80(0x0) debug1: compress outgoing: raw data 737, compressed 546, factor 0.74 debug1: compress incoming: raw data 1312, compressed 646, factor 0.49 [client] OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /home/tjacobs/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 1 debug1: Connecting to localhost [127.0.0.1] port 8080. debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/tjacobs/.ssh/identity type -1 debug1: identity file /home/tjacobs/.ssh/id_rsa type -1 debug1: identity file /home/tjacobs/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 zlib debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1:expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 134/256 debug1: bits set: 494/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'localhost' is known and matches the DSA host key. debug1: Found key in /home/tjacobs/.ssh/known_hosts:5 debug1: bits set: 508/1024 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key test debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 0x808fb60 hint -1 debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: try privkey: /home/tjacobs/.ssh/identity debug1: try privkey: /home/tjacobs/.ssh/id_rsa debug1: try privkey: /home/tjacobs/.ssh/id_dsa debug1: next auth method to try is keyboard-interactive debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is password debug1: packet_send2: adding 32 (len 21 padlen 11 extra_pad 64) debug1: authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. debug1: packet_send2: adding 48 (len 12 padlen 4 extra_pad 64) debug1: authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. debug1: packet_send2: adding 32 (len 19 padlen 13 extra_pad 64) debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: no more auth methods to try Permission denied (publickey,password,keyboard-interactive). debug1: Calling cleanup 0x80634c0(0x0) debug1: compress outgoing: raw data 1312, compressed 646, factor 0.49 debug1: compress incoming: raw data 737, compressed 546, factor 0.74 Expected Results: The client should have been authenticated, and logged in. Additional info: When tested against a remote system, the following was encountered: 1. When logging into the sshd run by root, everything worked fine. 2. When logging into an unpriveledged sshd, the login failed with "PAM rejected by account configuration[13]: User account has expired".
FYI: This will work with current OpenSSH versions (3.7x and up) if you disable PAM (ie "UsePAM no" in sshd_config). It didn't work for your public-key auth because even for non-password auths, the PAM account checks (ie pam_acct_mgmt and friends) were still done and those require root. It would have worked if there was a way to disable PAM, but older versions of OpenSSH could only do that at compile time.
openssh-3.9p1 is in FC3