Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 28915

Summary: PAM Authentication not always used when UsePAM = yes in sshd_config
Product: Gentoo Linux Reporter: Danny <Dirus>
Component: [OLD] UnspecifiedAssignee: Daniel Ahlberg (RETIRED) <aliz>
Status: RESOLVED INVALID    
Severity: critical CC: pam-bugs+disabled, vapier
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Danny 2003-09-16 14:58:51 UTC 
When ssh'ing into a gentoo box running openssh you will get PAM authentication 
only for the first 3 login attempts!  If you are running sshd with pam you can 
try this yourself.  Just try to ssh in to yourself 3 times, it will prompt you 
for password 3 times (just hit enter) these are the PAM protected prompts and 
say "Password:", and then after 3rd time it goes back to regular unprotected 
sshd login prompt and ignore all PAM settings, during this time it says 
"blah@localhosts's password:".  To see that PAM isn't being checked for 
authentication after the 3rd prompt simply add a line to your /etc/pam.d/sshd 
file that blocks all users such as: auth required pam_listfile.so item=user 
sense=allow file=/dev/null onerr=fail

This seems to effect all gentoo boxes using openssh's sshd with pam.  This seems 
to be a serious security issue.

Reproducible: Always
Steps to Reproduce:
1.  edit your sshd_config and uncomment UsePAM = yes
2.  type "ssh blah@localhost"
3.  hit enter 3 times

Actual Results:  
ssh blah@localhost
Password: 
Password: 
Password: 
blah@localhost's password: 
Permission denied, please try again.
blah@localhost's password: 
Permission denied, please try again.
blah@localhost's password: 
Permission denied (publickey,password,keyboard-interactive).

Expected Results:  
It should always use PAM when "UsePAM = yes" is in the config.

This happens on all gentoo boxes I have tested (4 at the moment), try it on your 
own.

Portage 2.0.49-r3 (default-x86-1.4, gcc-3.3.1, glibc-2.3.2-r1, 2.4.22)
=================================================================
System uname: 2.4.22 i686 AMD Athlon(tm) processor
distcc 2.9 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.2 [enabled]
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=athlon-tbird -O3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config 
/usr/kde/3/share/config /var/bind /usr/X11R6/lib/X11/xkb /usr/kde/3.
1/share/config /usr/share/config"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-march=athlon-tbird -O3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs sandbox ccache"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://sunsite.ualberta.
ca/pub/unix/Linux/gentoo http://www.ibiblio.org/pub/Linux/distributions/gentoo 
http://csociety-ftp.ecn.purdue.edu/pub/gentoo/ ftp://ftp.gtlib.cc.gatech.
edu/pub/gentoo http://cs.ubishops.ca/pub/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="x86 oss encode foomaticdb gif libg++ mad mikmod spell slang guile gpm pam 
motif 3dfx 3dnow aalib alsa apache2 apm arts avi berkdb crypt cups dga directfb 
dvd -esd gdbm -gnome gtk gtk2 imap imlib java jikes jpeg kde leim libwww maildir 
mmx mpeg nas ncurses nls objc oggvorbis opengl pdflib perl png python qt 
quicktime readline samba sdl smooth sse ssl tcltk tcpd tiff truetype usb voodoo3 
svga wmf X xml xml2 xmms xv zlib"
Comment 1 Danny 2003-09-16 15:05:49 UTC 
I should mention I am using openssh-3.7_p1 and pam-0.75-r11 as are the other systems tested.
Comment 2 Danny 2003-09-16 16:17:15 UTC 
When testing with the following you will get a warning about /dev/null:
auth required pam_listfile.so item=user sense=allow file=/dev/null onerr=fail

So it's better to test with this line:
login account required pam_deny.so
Comment 3 SpanKY gentoo-dev 2003-09-16 22:51:06 UTC 
remove 'PasswordAuthentication yes' from the sshd_config ...

basically it does PAM 3 times then falls back to PasswordAuthentication
Comment 4 Danny 2003-09-17 02:31:01 UTC 
I didn't have the line "PasswordAuthentication yes" in my sshd_config.  However, adding "PasswordAuthentication no" to my sshd_config seems to fix the problem.  The config file says:
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'

If this comment is correct then I believe it to be a problem with the program, this should be bypassing any default value of PasswordAuthentication.  If not then this comment needs to be changed in the default sshd_config.
Comment 5 SpanKY gentoo-dev 2003-09-17 03:20:57 UTC 
the comment is correct and the openssh devs know about it

i basically meant 'disable PasswordAuthentication' and you have done so :)
Comment 6 SpanKY gentoo-dev 2003-09-17 03:24:38 UTC 
hmm, unless the pam guys want to take a look at this bug i'd say that the current status is correct ...
Comment 7 Danny 2003-09-17 03:42:20 UTC 
According to the sshd_config docs when enabling UsePAM you SHOULD turn off PasswordAuthentication, I believe the default gentoo config comments for UsePAM should be corrected.