Hi all, I added pam_warn to the pam sshd file and paste the info below which might also shed some light on my problem :( May 6 16:00:45 sp32a PAM-warn[1025]: service: sshd [on terminal: NODEVssh] May 6 16:00:45 sp32a PAM-warn[1025]: user: (uid=0) -> testuser [remote: ?nobody@192.168.300.2] May 6 16:04:35 sp32a PAM-warn[1151]: service: sshd [on terminal: NODEVssh] May 6 16:04:35 sp32a PAM-warn[1151]: user: (uid=0) -> testuser [remote: ?nobody@192.168.300.1] May 6 16:04:35 sp32a PAM-warn[1151]: service: sshd [on terminal: NODEVssh] May 6 16:04:35 sp32a PAM-warn[1151]: user: (uid=0) -> testuser [remote: ?nobody@192.168.300.2] > "light storm" <lightstorm@antionline.org> pam-list@redhat.comCc: vorlon@netexpress.net > Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com >Date: Fri, 3 May 2002 11:10:01 -0700 > >Hello Steve, > >First of all thanks for anytime you put in my problem, really appreciate all the help cause i just don't see it :( > >I'll paste here the additional information which might help solve this: > >(note: openssh was compiled with pam support and md5 support) > > >sshd pam file for openssh in /etc/pam.d/ > >#%PAM-1.0 >auth required /lib/security/pam_unix.so # set_secrpc >auth required /lib/security/pam_nologin.so >auth required /lib/security/pam_env.so >account required /lib/security/pam_unix.so >password required /lib/security/pam_pwcheck.so md5 >password required /lib/security/pam_unix.so md5 >use_first_pass use_authtok >session required /lib/security/pam_unix.so none # trace or >debug >session required /lib/security/pam_limits.so > >sshd_config file: > > ># for more information. > ># This sshd was compiled with >PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin > ># The strategy used for options in the default sshd_config shipped with ># OpenSSH is to specify options with their default value where ># possible, but leave them commented. Uncommented options change a ># default value. > >#Port 22 >#Protocol 2,1 >#ListenAddress 0.0.0.0 >#ListenAddress :: > ># HostKey for protocol version 1 >#HostKey /etc/ssh/ssh_host_key ># HostKeys for protocol version 2 >#HostKey /etc/ssh/ssh_host_rsa_key >#HostKey /etc/ssh/ssh_host_dsa_key > ># Lifetime and size of ephemeral version 1 server key >#KeyRegenerationInterval 3600 >ServerKeyBits 1024 > ># Logging >#obsoletes QuietMode and FascistLogging >#SyslogFacility AUTH >#LogLevel INFO > ># Authentication: > >#LoginGraceTime 600 >#PermitRootLogin yes >#StrictModes yes > >#RSAAuthentication yes >#PubkeyAuthentication yes >#AuthorizedKeysFile .ssh/authorized_keys > ># rhosts authentication should not be used >#RhostsAuthentication no ># Don't read the user's ~/.rhosts and ~/.shosts files >#IgnoreRhosts yes ># For this to work you will also need host keys in >/etc/ssh/ssh_known_hosts >#RhostsRSAAuthentication no ># similar for protocol version 2 >#HostbasedAuthentication no ># Change to yes if you don't trust ~/.ssh/known_hosts for ># RhostsRSAAuthentication and HostbasedAuthentication >#IgnoreUserKnownHosts no > ># To disable tunneled clear text passwords, change to no here! >#PasswordAuthentication yes >#PermitEmptyPasswords no > ># Change to no to disable s/key passwords >#ChallengeResponseAuthentication yes > ># Kerberos options ># KerberosAuthentication automatically enabled if keyfile exists >#KerberosAuthentication yes >#KerberosOrLocalPasswd yes >#KerberosTicketCleanup yes > ># AFSTokenPassing automatically enabled if k_hasafs() is true >#AFSTokenPassing yes > ># Kerberos TGT Passing only works with the AFS kaserver >#KerberosTgtPassing no > ># Set this to 'yes' to enable PAM keyboard-interactive authentication ># Warning: enabling this may bypass the setting of >'PasswordAuthentication' >#PAMAuthenticationViaKbdInt yes > >#X11Forwarding no >#X11DisplayOffset 10 >#X11UseLocalhost yes >#PrintMotd yes >#PrintLastLog yes >#KeepAlive yes >#UseLogin no > >#MaxStartups 10 ># no default banner path >#Banner /some/path >#VerifyReverseMapping no > ># override default of no subsystems >Subsystem sftp /opt/libexec/sftp-server > > >|||||||||||||| > >on server with sshd -d -d -d : > >debug1: sshd version OpenSSH_3.1p1 >debug1: private host key: #0 type 0 RSA1 >debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. >debug1: read PEM private key done: type RSA >debug1: private host key: #1 type 1 RSA >debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. >debug1: read PEM private key done: type DSA >debug1: private host key: #2 type 2 DSA >debug1: Forcing server key to 1152 bits to make it differ from host key. >socket: Address family not supported by protocol >debug1: Bind to port 22 on 0.0.0.0. >Server listening on 0.0.0.0 port 22. >Generating 1152 bit RSA key. >RSA key generation complete. >debug1: Server will not fork when running in debugging mode. >Connection from 192.168.100.100 port 34864 >debug1: Client protocol version 2.0; client software version >OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9 >debug1: match: OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9 pat OpenSSH* >Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-1.99-OpenSSH_3.1p1 >debug1: list_hostkey_types: ssh-rsa,ssh-dss >debug1: SSH2_MSG_KEXINIT sent >debug1: SSH2_MSG_KEXINIT received >debug2: kex_parse_kexinit: >diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >debug2: kex_parse_kexinit: >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc >debug2: kex_parse_kexinit: >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc >debug2: kex_parse_kexinit: >hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 >debug2: kex_parse_kexinit: >hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 >debug2: kex_parse_kexinit: none,zlib >debug2: kex_parse_kexinit: none,zlib >debug2: kex_parse_kexinit: >debug2: kex_parse_kexinit: >debug2: kex_parse_kexinit: first_kex_follows 0 >debug2: kex_parse_kexinit: reserved 0 >debug2: kex_parse_kexinit: >diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >debug2: kex_parse_kexinit: >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se >debug2: kex_parse_kexinit: >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se >debug2: kex_parse_kexinit: >hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 >debug2: kex_parse_kexinit: >hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 >debug2: kex_parse_kexinit: zlib >debug2: kex_parse_kexinit: zlib >debug2: kex_parse_kexinit: >debug2: kex_parse_kexinit: >debug2: kex_parse_kexinit: first_kex_follows 0 >debug2: kex_parse_kexinit: reserved 0 >debug2: mac_init: found hmac-md5 >debug1: kex: client->server aes128-cbc hmac-md5 zlib >debug2: mac_init: found hmac-md5 >debug1: kex: server->client aes128-cbc hmac-md5 zlib >debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received >debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent >debug1: dh_gen_key: priv key bits set: 130/256 >debug1: bits set: 1561/3191 >debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT >debug1: bits set: 1593/3191 >debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent >debug1: kex_derive_keys >debug1: newkeys: mode 1 >debug1: Enabling compression at level 6. >debug1: SSH2_MSG_NEWKEYS sent >debug1: waiting for SSH2_MSG_NEWKEYS >debug1: newkeys: mode 0 >debug1: SSH2_MSG_NEWKEYS received >debug1: KEX done >debug1: userauth-request for user testuser service ssh-connection method >none >debug1: attempt 0 failures 0 >debug2: input_userauth_request: setting up authctxt for testuser >debug1: Starting up PAM with username "testuser" >debug3: Trying to reverse map address 192.168.100.100. >debug1: PAM setting rhost to "cper.tter.org" >debug2: input_userauth_request: try method none >Failed none for testuser from 192.168.100.100 port 34864 ssh2 >debug1: userauth-request for user testuser service ssh-connection method >keyboard-interactive >debug1: attempt 1 failures 1 >debug2: input_userauth_request: try method keyboard-interactive >debug1: keyboard-interactive devs >debug1: auth2_challenge: user=testuser devs= >debug1: kbdint_alloc: devices '' >debug2: auth2_challenge_start: devices >Failed keyboard-interactive for testuser from 192.168.100.100 port 34864 >ssh2 >debug1: userauth-request for user testuser service ssh-connection method >password >debug1: attempt 2 failures 2 >debug2: input_userauth_request: try method password >debug1: PAM Password authentication for "testuser" failed[7]: >Authentication failure >Failed password for testuser from 192.168.100.100 port 34864 ssh2 >debug1: userauth-request for user testuser service ssh-connection method password >debug1: attempt 3 failures 3 >debug2: input_userauth_request: try method password >debug1: PAM Password authentication for "testuser" failed[7]: >Authentication failure >Failed password for testuser from 192.168.100.100 port 34864 ssh2 >debug1: userauth-request for user testuser service ssh-connection method >password >debug1: attempt 4 failures 4 >debug2: input_userauth_request: try method password >debug1: PAM Password authentication for "testuser" failed[7]: >Authentication failure >Failed password for testuser from 192.168.100.100 port 34864 ssh2 >Connection closed by 192.168.100.100 >debug1: Calling cleanup 0x80524a0(0x0) >debug1: Calling cleanup 0x8068e10(0x0) >debug1: compress outgoing: raw data 242, compressed 85, factor 0.35 >debug1: compress incoming: raw data 293, compressed 146, factor 0.50 > >||||||||||||||| > > >from remote system with ssh -C -v -v -v : > >OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9, SSH protocols 1.5/2.0, OpenSSL >0x0090603f >debug1: Reading configuration data /etc/ssh/ssh_config >debug1: Seeding random number generator >debug1: Rhosts Authentication disabled, originating port will not be >trusted. >debug1: restore_uid >debug1: ssh_connect: getuid 1027 geteuid 1027 anon 1 >debug1: Connecting to 192.168.200.200 [192.168.200.200] port 22. >debug1: temporarily_use_uid: 1027/1027 (e=1027) >debug1: restore_uid >debug1: temporarily_use_uid: 1027/1027 (e=1027) >debug1: restore_uid >debug1: Connection established. >debug1: identity file /home/testuser/.ssh/identity type -1 >debug1: identity file /home/testuser/.ssh/id_rsa type -1 >debug1: identity file /home/testuser/.ssh/id_dsa type -1 >debug1: Remote protocol version 1.99, remote software version >OpenSSH_3.1p1 >debug1: match: OpenSSH_3.1p1 pat ^OpenSSH >Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9 >debug1: SSH2_MSG_KEXINIT sent >debug1: SSH2_MSG_KEXINIT received >debug2: kex_parse_kexinit: >diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >debug2: kex_parse_kexinit: >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se >debug2: kex_parse_kexinit: >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se >debug2: kex_parse_kexinit: >hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 >debug2: kex_parse_kexinit: >hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 >debug2: kex_parse_kexinit: zlib >debug2: kex_parse_kexinit: zlib >debug2: kex_parse_kexinit: >debug2: kex_parse_kexinit: >debug2: kex_parse_kexinit: first_kex_follows 0 >debug2: kex_parse_kexinit: reserved 0 >debug2: kex_parse_kexinit: >diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >debug2: kex_parse_kexinit: >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc >debug2: kex_parse_kexinit: >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc >debug2: kex_parse_kexinit: >hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 >debug2: kex_parse_kexinit: >hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 >debug2: kex_parse_kexinit: none,zlib >debug2: kex_parse_kexinit: none,zlib >debug2: kex_parse_kexinit: >debug2: kex_parse_kexinit: >debug2: kex_parse_kexinit: first_kex_follows 0 >debug2: kex_parse_kexinit: reserved 0 >debug2: mac_init: found hmac-md5 >debug1: kex: server->client aes128-cbc hmac-md5 zlib >debug2: mac_init: found hmac-md5 >debug1: kex: client->server aes128-cbc hmac-md5 zlib >debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent >debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >debug1: dh_gen_key: priv key bits set: 135/256 >debug1: bits set: 1593/3191 >debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >debug3: check_host_in_hostfile: filename /home/testuser/.ssh/known_hosts >debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts >The authenticity of host '192.168.200.200 (192.168.200.200)' can't be >established. >RSA key fingerprint is 27:19:b8:ba:69:e7:91:9a:b3:00:09:c4:a8:f6:be:e0. >Are you sure you want to continue connecting (yes/no)? yes >Warning: Permanently added '192.168.200.200' (RSA) to the list of known >hosts. >debug1: bits set: 1561/3191 >debug1: ssh_rsa_verify: signature correct >debug1: kex_derive_keys >debug1: newkeys: mode 1 >debug1: Enabling compression at level 6. >debug1: SSH2_MSG_NEWKEYS sent >debug1: waiting for SSH2_MSG_NEWKEYS >debug1: newkeys: mode 0 >debug1: SSH2_MSG_NEWKEYS received >debug1: done: ssh_kex2. >debug1: send SSH2_MSG_SERVICE_REQUEST >debug1: service_accept: ssh-userauth >debug1: got SSH2_MSG_SERVICE_ACCEPT >debug1: authentications that can continue: >publickey,password,keyboard-interactive >debug3: start over, passed a different list >publickey,password,keyboard-interactive >debug3: preferred publickey,keyboard-interactive,password >debug3: authmethod_lookup publickey >debug3: remaining preferred: keyboard-interactive,password >debug3: authmethod_is_enabled publickey >debug1: next auth method to try is publickey >debug1: try privkey: /home/testuser/.ssh/identity >debug3: no such identity: /home/testuser/.ssh/identity >debug1: try privkey: /home/testuser/.ssh/id_rsa >debug3: no such identity: /home/testuser/.ssh/id_rsa >debug1: try privkey: /home/testuser/.ssh/id_dsa >debug3: no such identity: /home/testuser/.ssh/id_dsa >debug2: we did not send a packet, disable method >debug3: authmethod_lookup keyboard-interactive >debug3: remaining preferred: password >debug3: authmethod_is_enabled keyboard-interactive >debug1: next auth method to try is keyboard-interactive >debug2: userauth_kbdint >debug2: we sent a keyboard-interactive packet, wait for reply >debug1: authentications that can continue: >publickey,password,keyboard-interactive >debug3: userauth_kbdint: disable: no info_req_seen >debug2: we did not send a packet, disable method >debug3: authmethod_lookup password >debug3: remaining preferred: >debug3: authmethod_is_enabled password >debug1: next auth method to try is password >testuser@192.168.200.200's password: >debug1: packet_send2: adding 16 (len 43 padlen 5 extra_pad 64) >debug2: we sent a password packet, wait for reply >debug1: authentications that can continue: >publickey,password,keyboard-interactive >Permission denied, please try again. >testuser@192.168.200.200's password: >debug1: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64) >debug2: we sent a password packet, wait for reply >debug1: authentications that can continue: >publickey,password,keyboard-interactive >Permission denied, please try again. >testuser@192.168.200.200's password: >debug1: packet_send2: adding 32 (len 19 padlen 13 extra_pad 64) >debug2: we sent a password packet, wait for reply >debug1: authentications that can continue: >publickey,password,keyboard-interactive >debug2: we did not send a packet, disable method >debug1: no more auth methods to try >Permission denied (publickey,password,keyboard-interactive). >debug1: Calling cleanup 0x80633cc(0x0) >debug1: compress outgoing: raw data 293, compressed 146, factor 0.50 >debug1: compress incoming: raw data 242, compressed 85, factor 0.35 > > > >extra information passwd (pam file): > >#%PAM-1.0 >auth required /lib/security/pam_unix.so nullok >account required /lib/security/pam_unix.so >password required /lib/security/pam_pwcheck.so nullok md5 >password required /lib/security/pam_unix.so nullok md5 >use_first_pass use_authtok >session required >/lib/security/pam_unix.so > > >other extra information: > >ldd /opt/sbin/sshd > libpam.so.0 => /lib/libpam.so.0 (0x4002a000) > libdl.so.2 => /lib/libdl.so.2 (0x40032000) > libutil.so.1 => /lib/libutil.so.1 (0x40035000) > libz.so.1 => /lib/libz.so.1 (0x40038000) > libnsl.so.1 => /lib/libnsl.so.1 (0x40047000) > libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005d000) > libc.so.6 => /lib/libc.so.6 (0x4011e000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) > >ldd /usr/bin/passwd > libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002a000) > libcrack.so.2 => /usr/lib/libcrack.so.2 (0x40058000) > libpam.so.0 => /lib/libpam.so.0 (0x40064000) > libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x4006c000) > libdl.so.2 => /lib/libdl.so.2 (0x4006f000) > libc.so.6 => /lib/libc.so.6 (0x40072000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) > > > > > >> Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com >>Date: Fri, 3 May 2002 11:28:33 -0500 >> >>On Fri, May 03, 2002 at 02:12:51AM -0700, light storm wrote: >>> This is the first time i really needed to seek the help of some one >>> who has alot more expertise on this subject since i have almost no >>> hair left on my head which i didn't pull out ;-) >> >>> I have installed: openssh 3.1 , openssl 0.9.6a and i use PAM , most >>> things work perfect, till i wanted to use pam for ssh, i enable also >>> pam support for openssh, also enable md5 passwords support for openssh >>> , added the correct information to the pam file (/etc/pam.d/sshd) like >>> 'md5' , but when i try to login from various servers to that server >>> then shortly said i get "PAM authentication failed, permission denied >>> ... " . that is the problem hehe >> >>> Paste: >> >>> Failed password for testuser from 192.168.150.52 port 34440 ssh2 >>> debug1: userauth-request for user testuser service ssh-connection method >>> password >>> debug1: attempt 3 failures 3 >>> debug2: input_userauth_request: try method password >>> debug1: PAM Password authentication for "testuser" failed[7]: >>> Authentication failure >>> ... >> >>> my sshd_config, ssh_config are all correctly configured, beside the >>> above passwd/login are also using PAM, no problem >> >>> i did a test, i created with another tool a password for testuser, not >>> md5, all of a sudden ssh worked (!??) , but when i change the pass >>> with passwd (it then gets to be a md5) ssh refuses :((( .. >> >>> IMHO something goes wrong when the md5 password is read by PAM and >>> that causes openssh to say permission denied ... but guys, what in >>> godsname goes wrong or what did i do wrong ? >> >> >>> PS: the generic pam sshd file is what i use, added the md5 to it. >> >>Please post the full contents of the exact PAM configuration you're >>using for sshd. There are many different 'default' configurations in >>existence, and it's impossible to diagnose this error without knowing >>what your particular configuration looks like. >> >>Steve Langasek >>postmodern programmer >>-----BEGIN PGP SIGNATURE----- >>Version: GnuPG v1.0.6 (GNU/Linux) >>Comment: For info see http://www.gnupg.org >> >>iD8DBQE80rqtKN6ufymYLloRAo+ZAJ4508T5jj7vTWmLfkpd6Lw+CQQ/IACfZWea >>522dURA5d4g8Gk6pKaCRJP4= >>=cNlF >>-----END PGP SIGNATURE----- > > >------------------------------------------------------------ >Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com >AntiOnline - The Internet's Information Security Super Center! > > >--------------------------------------------------------------------- >Express yourself with a super cool email address from BigMailBox.com. >Hundreds of choices. It's free! >http://www.bigmailbox.com >--------------------------------------------------------------------- > > > >_______________________________________________ > >Pam-list@redhat.com >https://listman.redhat.com/mailman/listinfo/pam-list ------------------------------------------------------------ Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com AntiOnline - The Internet's Information Security Super Center! --------------------------------------------------------------------- Express yourself with a super cool email address from BigMailBox.com. Hundreds of choices. It's free! http://www.bigmailbox.com ---------------------------------------------------------------------
