Hi Steve,all Just informing if some one might discovered what could be wrong ... Thanks.. > "light storm" <lightstorm@antionline.org> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com >Date: Mon, 6 May 2002 11:15:19 -0700 > >Hello Steve, > >Indeed, i forgot to see/remember that i use su and login with pam authentication, as i can see in the log when i su to root i see a rule saying pam authentication was successfull, i can check later exactly the msg but it was positive and it works, so do the md5 encrypted passwords in the shadow file with login (pam) etc... > >If pam seems to work with those ... then the question is why does ssh give trouble ? in the logs/debug info things seem to be fine imho ... >except the permission denied and 'pam authentication failed' msg's.. > >I also tried to remove the 'shadow' from the two lines but still same problem. There is one thing i don't know exactly what it means, i saw it in one of the logs "socket address family protocol not supported" ... is that normal or does it have to do with the problem ? > >Hope we are now isolating the problem area... > >Thanks... > > > > > > >> Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com >>Date: Mon, 6 May 2002 13:22:56 -0500 >> >>On Mon, May 06, 2002 at 09:33:32AM -0700, light storm wrote: >>> About the first possibility .. is there a way to check if the pam >>> module 'pam_unix.so' supports (freebsd) md5 encryption ? >> >>Sure... by giving a user a password that's been encrypted this way, and >>testing to see if you can still use pam_unix to authenticate that user >>to a simple PAM-enabled service. OpenSSH probably doesn't count as a >>'simple PAM-enabled service', though login probably does. >> >>> Second possibility .. after changing the pass of testuser (md5) and of >>> another user and tried just a plain login from the console it works, >>> login uses pam authentication ... >> >>This is with pam_unix in your /etc/pam.d/login, and with a freebsd md5 >>password for the user that you're logging in as? >> >>I think the key still lies in seeing what pam_unix is sending to syslog >>when the logins are failing. >> >>Steve Langasek >>postmodern programmer >> >> >>> > Steve Langasek <vorlon@netexpress.net> pam-list@redhat.com Re: openssh + pam authentication failing +md5 (?!) HELP HELP HELP !Reply-To: pam-list@redhat.com >>> >Date: Mon, 6 May 2002 11:26:05 -0500 >>> > >>> >On Mon, May 06, 2002 at 08:52:41AM -0700, light storm wrote: >>> >> Hello Steve,all >>> > >>> >> I added the debug option the password rule and the auth rule in the >>> >> sshd pam file, but as far as i can see nothing was sent to the logs, i >>> >> mean messages and warn logs, unless i should check some other log >>> >> which i cannot see at the moment ?? >>> > >>> >You would need to check your /etc/syslog.conf to see where -- if >>> >anywhere -- auth.* messages are currently being sent. On my machine, >>> >that's /var/log/auth and /var/log/debug. >>> > >>> >> But i think i found the problem but if it is real then i still don't >>> >> know what i can do: >>> > >>> >> I changed the password of the user 'testuser' with some other tool >>> >> which doesn't create md5 passwords. >>> > >>> >> Then i tried again ssh and now i can login, but 2 things i conclude >>> >> now: 1. ssh lets me , i only need the first 8 chars to enter >>> >> 2. it seems that when it's md5 encrypted then authentication >>> >> fails. >>> > >>> >If using traditional crypt passwords, only the first 8 characters of the >>> >password are encrypted. >>> > >>> >> debug1: PAM Password authentication accepted for user "testuser" >>> >> Accepted password for testuser from 192.168.200.30 port 33030 ssh2 >>> >> debug1: Entering interactive session for SSH2. >>> > >>> >A couple possibilities I can think of: >>> > >>> >The pam_unix module you're using doesn't support md5 passwords. >>> > >>> >The password you had for testuser was not a valid md5 hash, causing >>> >authentication to fail. >>> > >>> >The testuser account was expired, and PAM was requiring a password >>> >change, but the password change was failing. >>> > >>> >To rule out the third possibility, I suggest setting a new md5 password >>> >for testuser and trying to ssh in again. >>> > >>> >Steve Langasek >>> >postmodern programmer >>> >-----BEGIN PGP SIGNATURE----- >>> >Version: GnuPG v1.0.6 (GNU/Linux) >>> >Comment: For info see http://www.gnupg.org >>> > >>> >iD8DBQE81q6cKN6ufymYLloRAm5tAJsEXWRQqvwkHLLgvVovArcZYdPfOgCfZlOp >>> >4yPKUt6SYku4bG02nfJWwho= >>> >=AZN/ >>> >-----END PGP SIGNATURE----- >>> >>> >>> ------------------------------------------------------------ >>> Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com >>> AntiOnline - The Internet's Information Security Super Center! >>> >>> >>> --------------------------------------------------------------------- >>> Express yourself with a super cool email address from BigMailBox.com. >>> Hundreds of choices. It's free! >>> http://www.bigmailbox.com >>> --------------------------------------------------------------------- >>> >>> >>> >>> _______________________________________________ >>> >>> Pam-list@redhat.com >>> https://listman.redhat.com/mailman/listinfo/pam-list >>-----BEGIN PGP SIGNATURE----- >>Version: GnuPG v1.0.6 (GNU/Linux) >>Comment: For info see http://www.gnupg.org >> >>iD8DBQE81sn/KN6ufymYLloRAg6DAJ44bntWMDJ59pcft9ZaWPVNQcjgjgCdEvBS >>7EPQuWU9IdPfaQb5Xv+7YjU= >>=YQo5 >>-----END PGP SIGNATURE----- > > >------------------------------------------------------------ >Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com >AntiOnline - The Internet's Information Security Super Center! > > >--------------------------------------------------------------------- >Express yourself with a super cool email address from BigMailBox.com. >Hundreds of choices. It's free! >http://www.bigmailbox.com >--------------------------------------------------------------------- > > > >_______________________________________________ > >Pam-list@redhat.com >https://listman.redhat.com/mailman/listinfo/pam-list ------------------------------------------------------------ Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com AntiOnline - The Internet's Information Security Super Center!
