Hello Steve,all
I added the debug option the password rule and the auth rule in the sshd pam file, but as far as i can see nothing was sent to the logs, i mean messages and warn logs, unless i should check some other log which i cannot see at the moment ??
But i think i found the problem but if it is real then i still don't know what i can do:
I changed the password of the user 'testuser' with some other tool which doesn't create md5 passwords.
Then i tried again ssh and now i can login, but 2 things i conclude now: 1. ssh lets me , i only need the first 8 chars to enter
2. it seems that when it's md5 encrypted then authentication
fails.
these are logs of what i just did to get in:
[from the ssh remote side]
debug1: PAM establishing creds
Environment:
USER=testuser
LOGNAME=testuser
HOME=/home/testuser
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
MAIL=/var/mail/testuser
SHELL=/bin/bash
SSH_CLIENT= 192.168.200.30 33029 22
SSH_TTY=/dev/pts/7
TERM=kvt
debug3: channel_close_fds: channel 0: r -1 w -1 e -1
testuser@sp32a:~ >
[this is what sshd -d -d -d shows]
debug1: PAM Password authentication accepted for user "testuser"
Accepted password for testuser from 192.168.200.30 port 33030 ssh2
debug1: Entering interactive session for SSH2.
debug1: fd 3 setting O_NONBLOCK
debug1: fd 7 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
Well, i hope we made some progress to a solution, please let me know if you need more information.
Thanks !
> Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com
>Date: Mon, 6 May 2002 09:29:48 -0500
>
>On Fri, May 03, 2002 at 11:10:01AM -0700, light storm wrote:
>
>> First of all thanks for anytime you put in my problem, really
>> appreciate all the help cause i just don't see it :(
>
>> I'll paste here the additional information which might help solve this:
>
>> (note: openssh was compiled with pam support and md5 support)
>
>> sshd pam file for openssh in /etc/pam.d/
>
>Have you checked your log files for anything that might tell you which
>PAM module is failing and why? pam_unix, at least, logs a fair amount
>of information to the syslog 'auth' facility, and more information is
>available if you add the 'debug' flag to the module arguments
>
> auth required /lib/security/pam_unix.so debug
>
>Your openssh debug output indicates that PAM is being invoked, and your
>PAM config file looks reasonable from what I can tell; so looking at
>logs would be the next step.
>
>> #%PAM-1.0
>> auth required /lib/security/pam_unix.so # set_secrpc
>> auth required /lib/security/pam_nologin.so
>> auth required /lib/security/pam_env.so
>> account required /lib/security/pam_unix.so
>
>> password required /lib/security/pam_pwcheck.so md5
>
>BTW, does pam_pwcheck.so really support this 'md5' argument? As a quick
>experiment, you might try removing it to see if that changes openssh's
>behavior -- though the effect on the authentication process of a
>misconfigured password module should really be minimal.
>
>Steve Langasek
>postmodern programmer
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE81pNcKN6ufymYLloRAsbRAJ9lz57C+OSK/Ce+6SKAA3cvM/1W4gCgqGwe
>x0lGxmAyDge9lu2Hk30PpGE=
>=N6WS
>-----END PGP SIGNATURE-----
------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!
---------------------------------------------------------------------
Express yourself with a super cool email address from BigMailBox.com.
Hundreds of choices. It's free!
http://www.bigmailbox.com
---------------------------------------------------------------------
