28915 – PAM Authentication not always used when UsePAM = yes in sshd_config

Bug 28915 - PAM Authentication not always used when UsePAM = yes in sshd_config

Summary: PAM Authentication not always used when UsePAM = yes in sshd_config

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Unspecified (show other bugs)
Hardware:	All Linux

Importance:	Highest critical
Assignee:	Daniel Ahlberg (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-09-16 14:58 UTC by Danny
Modified:	2003-09-17 03:42 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Danny 2003-09-16 14:58:51 UTC

When ssh'ing into a gentoo box running openssh you will get PAM authentication 
only for the first 3 login attempts!  If you are running sshd with pam you can 
try this yourself.  Just try to ssh in to yourself 3 times, it will prompt you 
for password 3 times (just hit enter) these are the PAM protected prompts and 
say "Password:", and then after 3rd time it goes back to regular unprotected 
sshd login prompt and ignore all PAM settings, during this time it says 
"blah@localhosts's password:".  To see that PAM isn't being checked for 
authentication after the 3rd prompt simply add a line to your /etc/pam.d/sshd 
file that blocks all users such as: auth required pam_listfile.so item=user 
sense=allow file=/dev/null onerr=fail

This seems to effect all gentoo boxes using openssh's sshd with pam.  This seems 
to be a serious security issue.

Reproducible: Always
Steps to Reproduce:
1.  edit your sshd_config and uncomment UsePAM = yes
2.  type "ssh blah@localhost"
3.  hit enter 3 times

Actual Results:  
ssh blah@localhost
Password: 
Password: 
Password: 
blah@localhost's password: 
Permission denied, please try again.
blah@localhost's password: 
Permission denied, please try again.
blah@localhost's password: 
Permission denied (publickey,password,keyboard-interactive).

Expected Results:  
It should always use PAM when "UsePAM = yes" is in the config.

This happens on all gentoo boxes I have tested (4 at the moment), try it on your 
own.

Portage 2.0.49-r3 (default-x86-1.4, gcc-3.3.1, glibc-2.3.2-r1, 2.4.22)
=================================================================
System uname: 2.4.22 i686 AMD Athlon(tm) processor
distcc 2.9 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.2 [enabled]
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=athlon-tbird -O3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config 
/usr/kde/3/share/config /var/bind /usr/X11R6/lib/X11/xkb /usr/kde/3.
1/share/config /usr/share/config"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-march=athlon-tbird -O3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs sandbox ccache"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://sunsite.ualberta.
ca/pub/unix/Linux/gentoo http://www.ibiblio.org/pub/Linux/distributions/gentoo 
http://csociety-ftp.ecn.purdue.edu/pub/gentoo/ ftp://ftp.gtlib.cc.gatech.
edu/pub/gentoo http://cs.ubishops.ca/pub/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="x86 oss encode foomaticdb gif libg++ mad mikmod spell slang guile gpm pam 
motif 3dfx 3dnow aalib alsa apache2 apm arts avi berkdb crypt cups dga directfb 
dvd -esd gdbm -gnome gtk gtk2 imap imlib java jikes jpeg kde leim libwww maildir 
mmx mpeg nas ncurses nls objc oggvorbis opengl pdflib perl png python qt 
quicktime readline samba sdl smooth sse ssl tcltk tcpd tiff truetype usb voodoo3 
svga wmf X xml xml2 xmms xv zlib"

Comment 1 Danny 2003-09-16 15:05:49 UTC

I should mention I am using openssh-3.7_p1 and pam-0.75-r11 as are the other systems tested.

Comment 2 Danny 2003-09-16 16:17:15 UTC

When testing with the following you will get a warning about /dev/null:
auth required pam_listfile.so item=user sense=allow file=/dev/null onerr=fail

So it's better to test with this line:
login account required pam_deny.so

Comment 3 SpanKY gentoo-dev

2003-09-16 22:51:06 UTC

remove 'PasswordAuthentication yes' from the sshd_config ...

basically it does PAM 3 times then falls back to PasswordAuthentication

Comment 4 Danny 2003-09-17 02:31:01 UTC

I didn't have the line "PasswordAuthentication yes" in my sshd_config.  However, adding "PasswordAuthentication no" to my sshd_config seems to fix the problem.  The config file says:
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'

If this comment is correct then I believe it to be a problem with the program, this should be bypassing any default value of PasswordAuthentication.  If not then this comment needs to be changed in the default sshd_config.

Comment 5 SpanKY gentoo-dev

2003-09-17 03:20:57 UTC

the comment is correct and the openssh devs know about it

i basically meant 'disable PasswordAuthentication' and you have done so :)

Comment 6 SpanKY gentoo-dev

2003-09-17 03:24:38 UTC

hmm, unless the pam guys want to take a look at this bug i'd say that the current status is correct ...

Comment 7 Danny 2003-09-17 03:42:20 UTC

According to the sshd_config docs when enabling UsePAM you SHOULD turn off PasswordAuthentication, I believe the default gentoo config comments for UsePAM should be corrected.