Different behaviour between accounts for ssh connections

From: David Landgren (landgren@gmail.com)
Date: Thu Mar 24 2005 - 05:30:33 EST

• Next message: nikhil vr: "performanece issue with sun blade 2000"
• Previous message: Alistair McKeown: "Matching values in two files."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

List,

I want to connect to a Solaris 5.9 box via SSH using RSA public keys.

solaris version:
SunOS jersey 5.9 Generic_112233-08 sun4u sparc SUNW,Ultra-4

ssh version:
SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.

The account names are stored in an openldap directory. The first
account can log in correctly, and the auth log trace is

Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
userauth-request for user dlandgre service ssh-connection method none
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
attempt 0 failures 0
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
Starting up PAM with username "dlandgre"
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1: PAM
Password authentication for "dlandgre" failed[9]: Authentication
failed
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.info] Failed none
for dlandgre from 172.17.1.1 port 1159 ssh2
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
options.max_auth_tries = 6
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
userauth-request for user dlandgre service ssh-connection method
publickey
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
attempt 1 failures 1
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
test whether pkalg/pkblob are acceptable
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
key_type_from_name: unknown key type '...'
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
matching key found: file /d1/home/d/dlandgre/.ssh/authorized_keys,
line 3
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1: PAM
setting rhost to "david.bpinet.com"
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1: PAM
setting user to "dlandgre"
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.info] Postponed
publickey for dlandgre from 172.17.1.1 port 1159 ssh2
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
options.max_auth_tries = 6
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
userauth-request for user dlandgre service ssh-connection method
publickey
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
attempt 2 failures 1
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
key_type_from_name: unknown key type '...'
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
matching key found: file /d1/home/d/dlandgre/.ssh/authorized_keys,
line 3
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.debug] debug1:
ssh_rsa_verify: signature correct
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.debug] debug1: PAM
setting rhost to "david.bpinet.com"
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.debug] debug1: PAM
setting user to "dlandgre"
Mar 24 10:41:23 jersey sshd[10399]: [ID 509786 auth.debug] roles
pam_sm_authenticate, service = sshd user = dlandgre ruser = not set
rhost = david.bpinet.com
Mar 24 10:41:23 jersey sshd[10399]: [ID 800047 auth.info] Accepted
publickey for dlandgre from 172.17.1.1 port 1159 ssh2

The second account does not work correctly, the auth log trace is not the same:

Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
userauth-request for user nforgeau service ssh-connection method none
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
attempt 0 failures 0
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
Starting up PAM with username "nforgeau"
Mar 24 10:30:30 jersey sshd[10305]: [ID 219349 auth.debug]
pam_unix_auth: user nforgeau not found
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1: PAM
Password authentication for "nforgeau" failed[13]: No account present
for user
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.info] Failed none
for nforgeau from 172.17.1.1 port 1143 ssh2
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
options.max_auth_tries = 6
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
userauth-request for user nforgeau service ssh-connection method
publickey
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
attempt 1 failures 1
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
test whether pkalg/pkblob are acceptable
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.info] Failed
publickey for nforgeau from 172.17.1.1 port 1143 ssh2
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
options.max_auth_tries = 6
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
userauth-request for user nforgeau service ssh-connection method
publickey
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
attempt 2 failures 2
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
test whether pkalg/pkblob are acceptable
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
matching key found: file /d1/home/n/nforgeau/.ssh/authorized_keys,
line 1
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1: PAM
setting rhost to "david.bpinet.com"
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1: PAM
setting user to "nforgeau"
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.info] PAM rejected
by account configuration[13]:No account present for user
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.info] Failed
publickey for nforgeau from 172.17.1.1 port 1143 ssh2
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
options.max_auth_tries = 6
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
userauth-request for user nforgeau service ssh-connection method
publickey
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
attempt 3 failures 3
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
matching key found: file /d1/home/n/nforgeau/.ssh/authorized_keys,
line 1
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
ssh_rsa_verify: signature correct
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1: PAM
setting rhost to "david.bpinet.com"
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1: PAM
setting user to "nforgeau"
Mar 24 10:30:36 jersey sshd[10305]: [ID 509786 auth.debug] roles
pam_sm_authenticate, service = sshd user = nforgeau ruser = not set
rhost = david.bpinet.com
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.info] PAM rejected
by account configuration[13]:No account present for user
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.info] Failed
publickey for nforgeau from 172.17.1.1 port 1143 ssh2
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.info] Received
disconnect: 11: No supported authentication methods available
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
Calling cleanup 0x29948(0x0)
Mar 24 10:30:36 jersey sshd[10305]: [ID 800047 auth.debug] debug1:
Calling cleanup 0x3e130(0x0)
Mar 24 10:30:53 jersey sshd[10230]: [ID 800047 auth.debug] debug1:
session_by_channel: session 0 channel 0
Mar 24 10:30:53 jersey sshd[10230]: [ID 800047 auth.debug] debug1:
session_input_channel_req: session 0 channel 0 request window-change
reply 0

While it may not be apparent, the above trace is emitted while the
client is still at the password prompt and the passphrase has not yet
been entered.

My main question is why the two lines are different:

(this one works)
Mar 24 10:41:22 jersey sshd[10399]: [ID 800047 auth.debug] debug1: PAM
Password authentication for "dlandgre" failed[9]: Authentication
failed

and

(this one fails)
Mar 24 10:30:30 jersey sshd[10305]: [ID 800047 auth.debug] debug1: PAM
Password authentication for "nforgeau" failed[13]: No account present
for user

I don't see any significant differences between the LDAP entries for
these accounts. If I connect to the box with the first account, I can
su(1) to the nforgeau account, and similarly, id(1) displays the
correct information.

The same ssh client was used in both cases: PuTTY 0.54. 0.56 shows the
same behaviour.

I have tried various recipes for sshd in /etc/pam.conf that I have
found in web searches, but the fact remains that without any
sshd-specific lines in /etc/pam.conf, the first account works in all
circumstances.

I don't know what other avenues to pursue. Thanks for any pointers you
may be able to provide

David Landgren
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: nikhil vr: "performanece issue with sun blade 2000"
• Previous message: Alistair McKeown: "Matching values in two files."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:25 EDT