More digging... getting really dark down this hole... Found the source of the string: https://github.com/openssh/openssh-portable/blob/master/auth-pam.c#L956-L978 And it's reachable here: https://github.com/openssh/openssh-portable/blob/master/auth-pam.c#L1005-L1015 and: https://github.com/openssh/openssh-portable/blob/master/auth-pam.c#L1005-L1015 Not sure which context it is. By happenstance, I was testing both LDAP and Radius authentication, and forgot to clear out my /etc/nsswitch.conf which still had "ldap" on the "passwd" and "shadow" lines... and it worked. If I remove those, it doesn't. I've not banged on Ssh for a number of years, and PAM never, so it might take me a while to find the time to grok this code. Anyone else see anything that stands out? Alan DeKok (of Freeradius fame) said he looked at writing an nss_radius module, but then decided not to because of the complexity. Wondering if the nss_ldap code could be borrowed or enhanced to support both... Alas is looks like the repo hasn't gotten much love in the last 7 years. > On Nov 9, 2023, at 11:37 AM, Philip Prindeville <philipp_subx@xxxxxxxxxxxxxxxxxxxxx> wrote: > > Did some digging, and tried running the Radius server in debug/trace mode. I saw this: > > (0) Received Access-Request Id 227 from 172.21.12.17:54545 to 172.27.44.237:1812 length 96 > (0) User-Name = "pprindeville2" > (0) User-Password = "\010\n\r\177INCORRE" > (0) NAS-IP-Address = 127.0.1.1 > (0) NAS-Identifier = "sshd" > (0) NAS-Port = 334707 > (0) NAS-Port-Type = Virtual > (0) Service-Type = Authenticate-Only > (0) Calling-Station-Id = "172.21.12.3" > > Which isn't remotely what I typed. Any ideas where this would get corrupted in the pipeline (well, I guess it's both a stack and a pipeline, depending on how you look at it)? > > Now the behavior has changed. The password is corrupted if the home directory exists or not. > > >> On Oct 24, 2023, at 12:39 AM, Philip Prindeville <philipp_subx@xxxxxxxxxxxxxxxxxxxxx> wrote: >> >> I had a test client (Ubuntu 22.04) set up, and I was running tcpdump on the server (also Ubuntu, running Freeradius 3.0). >> >> I had created a username & password on the Radius server, and if I tried to log into the client with those credentials, it failed. >> >> But as soon as I created a "cut out" on the client (same username, but '*' password in the shadow file), I could log in because the server was no longer rejecting the authorization request. >> >> I don't get it. How would the server know if there was a local user or not? Nothing in the messages seem to be different, other than the things you'd expect (the message id, and the random seed that the password gets hashed with). All other parts of the message were identical. >> >> How was the client conveying to the server that there wasn't a local account present? >> >> Thanks >> -- You received this message because you are subscribed to the Google Groups "pam-list@xxxxxxxxxx" group. To unsubscribe from this group and stop receiving emails from it, send an email to pam-list+unsubscribe@xxxxxxxxxx.
