OpenSSH 3.7.1p2 With NIS+ Password Authentication Problem

From: Sun Manager (sunmngrs@mzserver.com)
Date: Wed Oct 08 2003 - 12:51:22 EDT

• Next message: joe ritter: "kernel scrubber and soft errors"
• Previous message: Paul Porcelli: "NFS Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Everyone,

   Below is the problem (and an explanation from someone from the
openssh-dev mailing list). Has anyone else run into this problem? Does
anyone have a better solution?

-Michael

> Hello,
>
> I am having a very aggravating problem, and I will try and provide
all
> of the necessary information. I have openssh-3.7.1p2 with
openssl-0.9.6k
> installed on Solaris 8. Here is what I've been able to determine so
far:
>
> 1. Local account authentication works fine (non-NIS+).
> 1a. NIS+ is running at security level 2
> 2. Telnet authentication works fine.
> 2a. When I use the SSH client, from another UNIX machine, it works
fine --
> only windows SSH clients (I've tried SecureCRT and SSH.com's SSH
client)
> have problems connecting. 3. nscd is not running (I stopped it for
now, but
> I don't think it matters) 3a. PAM is enabled in my sshd_config (see
below)
> 4. When I log in via telnet (for example), it works; and then I try
that
> same ID that wouldn't work originally via SSH, it then works! 5. When
I log
> in to master server via SSH it works fine (it only doesn't work when I
try
> to log into client servers). 6. When I try keyboard interactive
> authentication (instead of Password), it works, but it asks me TWICE
for
> the login info (the first time fails, the second time succeeds).
>
> TO SUMMARIZE: I have problems WHEN: I log in via SSH to the non-master
NIS+
> server with a non-local account (NIS+ account) with a Windows client
via
> 'Password' authentication. I'd love to see someone figure THIS ONE
out...
>

Your Windows clients are using password authentication. That doesn't
work with
ssh 3.7.1p2 on Solaris because the sshd has to be able to read the
encrypted
password out of NIS+. But if you run NIS+ at security level 2 the user
needs
to authenticate to NIS+ first via an explicit or implicit keylogin in
order
to be able to read his/her own encrypted password. Other users are not
able
to read it and that includes the root user on NIS+ clients. One
exception is
the root user (or machine principal) of the NIS+ master, that's why it
works
there. If you succeed to login via telnet then the telnetd does a
keylogin
and then stores your key with the keyserver, that's why subsequent ssh
logins
work until you reboot the machine (or restart the keyserver).

You should use PAM authentication via keyboard-interactive with your
Windows
clients. I don't know anything about the 2 clients you tried but I know
that
Putty works with protocol version 2 and keyboard-interactive (tried it
myself).

> Here's my ./configure for openssh:
>
> ----------------------------------------------------------------------

> configured by ./configure, generated by GNU Autoconf 2.52,
> with options \"--prefix=/usr/openssh --with-pam --without-rsh
> --with-pid-dir=/var/run --with-md5-passwords
--with-ssl-dir=/usr/local/ssl
> --with-mantype=man\"
> ----------------------------------------------------------------------

>
> Here is my sshd.conf file:
>
> ----------------------------------------------------------------------

> Port 22
> Protocol 2
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> HostKey /usr/openssh/etc/ssh_host_key
> # HostKeys for protocol version 2
> HostKey /usr/openssh/etc/ssh_host_rsa_key
> HostKey /usr/openssh/etc/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
>
> LoginGraceTime 2m
> PermitRootLogin no
> #StrictModes yes
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in
> /usr/openssh/etc/ssh_known_hosts #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCreds yes
>
> # Set this to 'yes' to enable PAM authentication (via
challenge-response)
> # and session processing. Depending on your PAM configuration, this
may
> # bypass the setting of 'PasswordAuthentication'
> UsePAM yes
>
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> PrintMotd yes
> #PrintLastLog yes
> KeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> PidFile /var/run/sshd.pid
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> # override default of no subsystems
> Subsystem sftp /usr/openssh/libexec/sftp-server
> ----------------------------------------------------------------------

>
> Here is what it looks like when I use a Windows SSH client (with IP
> addresses changed to protect the innocent):
>
> bash-2.03# /usr/openssh/sbin/sshd -d -d -d
> debug3: Seeding PRNG from /usr/openssh/libexec/ssh-rand-helper
> debug2: read_server_config: filename /usr/openssh/etc/sshd_config
> debug1: sshd version OpenSSH_3.7.1p2
> debug1: private host key: #0 type 0 RSA1
> debug3: Not a RSA1 key file /usr/openssh/etc/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug3: Not a RSA1 key file /usr/openssh/etc/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug1: Server will not fork when running in debugging mode.
> Connection from 10.0.0.1 port 1583
> debug1: Client protocol version 2.0; client software version 3.4.5
> SecureCRT debug1: no match: 3.4.5 SecureCRT
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
> debug3: privsep user:group 1002:1002
> debug1: permanently_set_uid: 1002/1002
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2:
> kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
>
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
bc,
>rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2:
> kex_parse_kexinit:
>
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
bc,
>rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2:
> kex_parse_kexinit:
>
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9
6,h
>mac-md5-96 debug2: kex_parse_kexinit:
>
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9
6,h
>mac-md5-96 debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2:
> kex_parse_kexinit: ssh-dss,ssh-rsa
> debug2: kex_parse_kexinit:
>
aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfo
ur
> debug2: kex_parse_kexinit:
>
aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfo
ur
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: Network child is on pid 801
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 2046 2046
> debug3: mm_request_send entering: type 1
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug2: dh_gen_key: priv key bits set: 133/256
> debug2: bits set: 786/1535
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug2: bits set: 780/1535
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 4
> debug3: monitor_read: checking request 4
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 12b3c0(55)
> debug3: mm_request_send entering: type 5
> debug2: monitor_read: 4 used once, disabling now
> debug3: mm_request_receive entering
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: mm_request_receive_expect entering: type 5
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user student service ssh-connection
method
> none debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 6
> debug3: monitor_read: checking request 6
> debug3: mm_answer_pwnamallow
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: mm_request_receive_expect entering: type 7
> debug3: mm_request_receive entering
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 7
> debug2: monitor_read: 6 used once, disabling now
> debug3: mm_request_receive entering
> debug2: input_userauth_request: setting up authctxt for student
> debug3: mm_start_pam entering
> debug3: mm_request_send entering: type 43
> debug3: monitor_read: checking request 43
> debug1: PAM: initializing for "student"
> debug3: mm_inform_authserv entering
> debug3: Trying to reverse map address 10.0.0.1.
> debug3: mm_request_send entering: type 3
> debug2: input_userauth_request: try method none
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug1: PAM: setting PAM_RHOST to "10.0.0.1-my.host.com"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug2: monitor_read: 43 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 3
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 10
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> Failed none for student from 10.0.0.1 port 1583 ssh2
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> Failed none for student from 10.0.0.1 port 1583 ssh2
> debug1: userauth-request for user student service ssh-connection
method
> password debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: monitor_read: checking request 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> Failed password for student from 10.0.0.1 port 1583 ssh2
> debug3: mm_request_receive entering
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> Failed password for student from 10.0.0.1 port 1583 ssh2
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: joe ritter: "kernel scrubber and soft errors"
• Previous message: Paul Porcelli: "NFS Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:15 EDT