| View previous topic :: View next topic |
| Author |
Message |
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
 Posted: Tue Feb 01, 2005 1:08 pm Post subject: ssh ppk auth and pam |
 |
|
I encountered something that kind of scared me a week or so ago. When I would try to login to my server with a priv/pubkey authentication and mis-typed the passphrase for my private key, it prompts for a password. IIRC, I was able to login with my password from that prompt, even with 'PasswordAuthentication no' in sshd_config! After a little bit of reading it looked like PAM was overriding the sshd_config settings, so I put 'UsePAM no', but couldn't even login with my priv/pubkey setup. So what I've done is set 'ChallengeResponseAuthentication no' and 'UsePAM yes'. This has resolved the prompting for password after incorrectly entering passphrases 3-times, but is this the correct solution? Is there a security risk in doing it this way?
_________________
only the paranoid survive |
|
| Back to top |
|
 |
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Thu Feb 03, 2005 1:00 pm Post subject: |
|
|
opinions, anyone?
_________________
only the paranoid survive |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 3:49 pm Post subject: |
|
|
no comments?
_________________
only the paranoid survive |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 3:54 pm Post subject: |
|
|
Read The Fine Manual and don´t bump every two hours... 
|
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 4:01 pm Post subject: |
|
|
| j-m wrote: | Read The Fine Manual and don´t bump every two hours...
|
Posted: Tue Feb 01, 2005 8:08 am
Posted: Thu Feb 03, 2005 8:00 am
Posted: Wed Feb 16, 2005 10:54 am
Hardly every two hours.
| Code: |
UsePAM Enables the Pluggable Authentication Module interface. If set to
``yes'' this will enable PAM authentication using
ChallengeResponseAuthentication and PAM account and session mod-
ule processing for all authentication types.
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
either PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is ``no''.
|
| Code: |
ChallengeResponseAuthentication
Specifies whether challenge response authentication is allowed.
All authentication styles from login.conf(5) are supported. The
default is ``yes''.
|
The above from the man page hardly answers my question, as well. I'm asking for opinions, mostly. And I'm wondering why other people can successfully log in with UsePAM=no, and I cannot.
_________________
only the paranoid survive |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 4:22 pm Post subject: |
|
|
This is my working config. Do diff and check.
| Code: |
Port 222
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
#HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys2
RhostsRSAAuthentication no
HostbasedAuthentication no
#IgnoreUserKnownHosts no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
AllowGroups sshusers
#AllowUsers
#ChallengeResponseAuthentication yes
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
UsePAM no
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
Subsystem sftp /usr/lib/misc/sftp-server
|
|
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 4:40 pm Post subject: |
|
|
| Code: |
diff sshd_config sshd_config.forums|grep -v '#'
1c1
< Port 22
---
> Port 222
3d2
< ListenAddress 192.168.0.5
9,12c8
< PermitRootLogin yes
---
> PermitRootLogin no
14c10
< AuthorizedKeysFile .ssh/authorized_keys
---
> AuthorizedKeysFile .ssh/authorized_keys2
17d12
21c16
---
> AllowGroups sshusers
23,57c18
<
---
> Subsystem sftp /usr/lib/misc/sftp-server
|
I have restarted sshd, but still same error:
| Code: |
Permission denied (publickey,keyboard-interactive).
or
Permission denied (publickey).
|
I also see a lot of this in the syslog during the logins:
| Code: |
Feb 16 11:36:21 web1 PAM-env[10960]: Unknown PAM_ITEM: <DISPLAY>
Feb 16 11:36:21 web1 sshd[10960]: PAM pam_putenv: delete non-existent entry; DISPLAY
Feb 16 11:36:21 web1 PAM-env[10960]: Unknown PAM_ITEM: <XAUTHORITY>
Feb 16 11:36:21 web1 sshd[10960]: PAM pam_putenv: delete non-existent entry; XAUTHORITY
Feb 16 11:36:21 web1 sshd(pam_unix)[10960]: session closed for user
|
Thank you for your reply! 
_________________
only the paranoid survive |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 5:04 pm Post subject: |
|
|
OK, check whether you have compiled openssh with the needed flags, maybe best solution would be to remerge with USE="-pam"
As for those errors posted at the end, search bugzilla to find a lots of unsolved reports and a workaround, but they are irrelevant to this problem and only cause harm with X11 forwarding over SSH.
One more idea:
| Code: |
cp authorized_keys authorized_keys2
|
  |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 5:09 pm Post subject: |
|
|
understood.
I have in troubleshooting this problem done an emerge on openssh with USE="-pam", but that resulted in the same error as UsePAM=no, except the config option didn't solve the error. Had to re-emerge again with USE="pam".
edit: I copied the authorized_keys file of the user to authorized_keys2, and chowned it for that user's ownership (user only, root group ownership) but have the same error. :'(
edit2: I do have 'chmod -R 0700 ~/.ssh' for that user per something I read on the BSD forums. Could that be the problem?
_________________
only the paranoid survive |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 5:27 pm Post subject: |
|
|
| ixion wrote: |
edit: I copied the authorized_keys file of the user to authorized_keys2, and chowned it for that user's ownership (user only, root group ownership) but have the same error. :'(
|
Did you change the path in sshd_config as well?
| ixion wrote: |
edit2: I do have 'chmod -R 0700 ~/.ssh' for that user per something I read on the BSD forums. Could that be the problem? |
I have 0700 for the directory and 0600 for authorized_keys2
Out of ideas, otherwise. |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 5:31 pm Post subject: |
|
|
I changed the sshd_config to recognize authorized_keys2, but still nogo. *sigh*, I guess this is just one of those issues I should ignore?  
_________________
only the paranoid survive |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 5:37 pm Post subject: |
|
|
| ixion wrote: | | I changed the sshd_config to recognize authorized_keys2, but still nogo. *sigh*, I guess this is just one of those issues I should ignore? |
Please post your complete config - there must be some error somewhere...  |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 5:50 pm Post subject: |
|
|
| j-m wrote: | | ixion wrote: | | I changed the sshd_config to recognize authorized_keys2, but still nogo. *sigh*, I guess this is just one of those issues I should ignore? |
Please post your complete config - there must be some error somewhere... |
I'm sorry for the frustration.. 
| Code: |
Port 22
Protocol 2
ListenAddress 10.0.0.5
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 1m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression yes
ClientAliveInterval 3
ClientAliveCountMax 3
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 10
Banner /etc/ssh/banner1
Subsystem sftp /usr/lib/misc/sftp-server
|
The above is what I normally use, but I've used the below config as well but to no avail:
| Code: |
Port 22
Protocol 2
ListenAddress 10.0.0.5
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 1m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RhostsRSAAuthentication no
HostbasedAuthentication no
#IgnoreUserKnownHosts yes
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
#ChallengeResponseAuthentication no
UsePAM no
|
My USE:
| Code: |
USE="tcpd ssl pam hardened security mysql imap maildir flexresp perl apache exiscan-acl gd gd-external -X -apache2 -gtk -gtk2 -qt -fluxbox -cups -mbox -kde -gnome -sound -arts -alsa -nvidia -gpm -mouse -ipv6"
|
CFLAGS (likely nothing to do with this, but oh well):
| Code: |
CFLAGS="-O3 -march=pentium3 -pipe -fomit-frame-pointer"
|
_________________
only the paranoid survive |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 6:52 pm Post subject: |
|
|
Did you try this?
| Code: |
UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication no
|
|
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 7:00 pm Post subject: |
|
|
Thank you again for all your help, I very much appreciate it.
Setting the following resulted in the same error:
| Code: |
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no
|
Do you think it's something to do with the way I've compiled openssh? This problem I think existed before a reinstall and after. Weird..
_________________
only the paranoid survive |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 7:08 pm Post subject: |
|
|
| ixion wrote: |
Do you think it's something to do with the way I've compiled openssh? This problem I think existed before a reinstall and after. Weird.. |
I don´t know. There must be something wrong because pam is always called regardless of settings. 
Could you try to
| Code: |
mv /etc/pam.d/sshd /etc/pam.d/sshd.orig
/etc/init.d/sshd restart
|
and look at the logs?
 |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 7:21 pm Post subject: |
|
|
done. Here is what I get:
| Code: |
sshd_config:
UsePAM=yes
Enter passphrase for key '/home/user1/.ssh/id_dsa':
Permission denied (publickey).
log:
(nothing shows up)
sshd_config:
UsePAM=no
Permission denied (publickey)
log:
Feb 16 14:18:00 myhost1 sshd[19348]: User user1 not allowed because account is locked
|
That /etc/pam.d/sshd file is interesting. Can I take out the password entry to disable passwords? Or is there anything I can do to it to help this situation?
Cheers!
_________________
only the paranoid survive |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 7:25 pm Post subject: |
|
|
| ixion wrote: |
| Code: |
log:
Feb 16 14:18:00 myhost1 sshd[19348]: User user1 not allowed because account is locked
|
That /etc/pam.d/sshd file is interesting. Can I take out the password entry to disable passwords? Or is there anything I can do to it to help this situation?
Cheers! |
Argh! Account is locked? Where? Duh! What is calling the damned PAM?
OK, seriously, try to mess with the pam configuration, but I really don´t know. Maybe you should file a bug for this. |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Wed Feb 16, 2005 7:26 pm Post subject: |
|
|
I was thinking it was a bug.. going to try to file one, now. So far I'm not very good at filing them, but let's see what happens.. Thanks so much for your help, bro
Filed: https://bugs.gentoo.org/show_bug.cgi?id=82274
_________________
only the paranoid survive |
|
| Back to top |
|
|
|
Networking & Security
