Hello Steve, Indeed, i forgot to see/remember that i use su and login with pam authentication, as i can see in the log when i su to root i see a rule saying pam authentication was successfull, i can check later exactly the msg but it was positive and it works, so do the md5 encrypted passwords in the shadow file with login (pam) etc... If pam seems to work with those ... then the question is why does ssh give trouble ? in the logs/debug info things seem to be fine imho ... except the permission denied and 'pam authentication failed' msg's.. I also tried to remove the 'shadow' from the two lines but still same problem. There is one thing i don't know exactly what it means, i saw it in one of the logs "socket address family protocol not supported" ... is that normal or does it have to do with the problem ? Hope we are now isolating the problem area... Thanks... > Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com >Date: Mon, 6 May 2002 13:22:56 -0500 > >On Mon, May 06, 2002 at 09:33:32AM -0700, light storm wrote: >> About the first possibility .. is there a way to check if the pam >> module 'pam_unix.so' supports (freebsd) md5 encryption ? > >Sure... by giving a user a password that's been encrypted this way, and >testing to see if you can still use pam_unix to authenticate that user >to a simple PAM-enabled service. OpenSSH probably doesn't count as a >'simple PAM-enabled service', though login probably does. > >> Second possibility .. after changing the pass of testuser (md5) and of >> another user and tried just a plain login from the console it works, >> login uses pam authentication ... > >This is with pam_unix in your /etc/pam.d/login, and with a freebsd md5 >password for the user that you're logging in as? > >I think the key still lies in seeing what pam_unix is sending to syslog >when the logins are failing. > >Steve Langasek >postmodern programmer > > >> > Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com >> >Date: Mon, 6 May 2002 11:26:05 -0500 >> > >> >On Mon, May 06, 2002 at 08:52:41AM -0700, light storm wrote: >> >> Hello Steve,all >> > >> >> I added the debug option the password rule and the auth rule in the >> >> sshd pam file, but as far as i can see nothing was sent to the logs, i >> >> mean messages and warn logs, unless i should check some other log >> >> which i cannot see at the moment ?? >> > >> >You would need to check your /etc/syslog.conf to see where -- if >> >anywhere -- auth.* messages are currently being sent. On my machine, >> >that's /var/log/auth and /var/log/debug. >> > >> >> But i think i found the problem but if it is real then i still don't >> >> know what i can do: >> > >> >> I changed the password of the user 'testuser' with some other tool >> >> which doesn't create md5 passwords. >> > >> >> Then i tried again ssh and now i can login, but 2 things i conclude >> >> now: 1. ssh lets me , i only need the first 8 chars to enter >> >> 2. it seems that when it's md5 encrypted then authentication >> >> fails. >> > >> >If using traditional crypt passwords, only the first 8 characters of the >> >password are encrypted. >> > >> >> debug1: PAM Password authentication accepted for user "testuser" >> >> Accepted password for testuser from 192.168.200.30 port 33030 ssh2 >> >> debug1: Entering interactive session for SSH2. >> > >> >A couple possibilities I can think of: >> > >> >The pam_unix module you're using doesn't support md5 passwords. >> > >> >The password you had for testuser was not a valid md5 hash, causing >> >authentication to fail. >> > >> >The testuser account was expired, and PAM was requiring a password >> >change, but the password change was failing. >> > >> >To rule out the third possibility, I suggest setting a new md5 password >> >for testuser and trying to ssh in again. >> > >> >Steve Langasek >> >postmodern programmer >> >-----BEGIN PGP SIGNATURE----- >> >Version: GnuPG v1.0.6 (GNU/Linux) >> >Comment: For info see http://www.gnupg.org >> > >> >iD8DBQE81q6cKN6ufymYLloRAm5tAJsEXWRQqvwkHLLgvVovArcZYdPfOgCfZlOp >> >4yPKUt6SYku4bG02nfJWwho= >> >=AZN/ >> >-----END PGP SIGNATURE----- >> >> >> ------------------------------------------------------------ >> Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com >> AntiOnline - The Internet's Information Security Super Center! >> >> >> --------------------------------------------------------------------- >> Express yourself with a super cool email address from BigMailBox.com. >> Hundreds of choices. It's free! >> http://www.bigmailbox.com >> --------------------------------------------------------------------- >> >> >> >> _______________________________________________ >> >> Pam-list@redhat.com >> https://listman.redhat.com/mailman/listinfo/pam-list >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: For info see http://www.gnupg.org > >iD8DBQE81sn/KN6ufymYLloRAg6DAJ44bntWMDJ59pcft9ZaWPVNQcjgjgCdEvBS >7EPQuWU9IdPfaQb5Xv+7YjU= >=YQo5 >-----END PGP SIGNATURE----- ------------------------------------------------------------ Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com AntiOnline - The Internet's Information Security Super Center! --------------------------------------------------------------------- Express yourself with a super cool email address from BigMailBox.com. Hundreds of choices. It's free! http://www.bigmailbox.com ---------------------------------------------------------------------
