From owner-freebsd-questions@FreeBSD.ORG Tue Sep 25 11:59:02 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A6BD16A419 for ; Tue, 25 Sep 2007 11:59:02 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id 9506613C448 for ; Tue, 25 Sep 2007 11:59:01 +0000 (UTC) (envelope-from rakhesh@rakhesh.com) Received: by nf-out-0910.google.com with SMTP id b2so1417998nfb for ; Tue, 25 Sep 2007 04:59:00 -0700 (PDT) Received: by 10.78.204.1 with SMTP id b1mr4223237hug.1190721539578; Tue, 25 Sep 2007 04:58:59 -0700 (PDT) Received: from smtp.home.rakhesh.com ( [82.178.138.182]) by mx.google.com with ESMTPS id 18sm3298182hue.2007.09.25.04.58.54 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2007 04:58:58 -0700 (PDT) Received: from dogmatix.home.rakhesh.com (dogmatix.home.rakhesh.com [192.168.17.31]) by smtp.home.rakhesh.com (Postfix) with ESMTP id 9D3741140D for ; Tue, 25 Sep 2007 15:56:21 +0400 (GST) Date: Tue, 25 Sep 2007 15:56:22 +0400 (GST) X-X-Sender: rakhesh@dogmatix.home.rakhesh.com To: freebsd-questions@freebsd.org Message-ID: <20070925150058.J79029@dogmatix.home.rakhesh.com> X-Blog: http://rakhesh.com/ X-Notes: http://rakhesh.net/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed From: Rakhesh Sasidharan Subject: Confusion on SSH and PAM X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2007 11:59:02 -0000 Hi, I've spent a fair bit of yesterday and today playing around with this. Have reached some confusing conclusions. Here's a snippet from my ''sshd_config'' file: ----8<----------- PubkeyAuthentication yes ChallengeResponseAuthentication yes PermitRootLogin without-password PasswordAuthentication no UsePAM yes ----8<----------- The idea being that I use Public Key authentication. No password authentication. Yes to PAM authentication etc (my understanding is that *if* Public Key auth fails then this is invoked). And root is allowed login using Key authentication. Here's the SSHD section for PAM: ----8<----------- auth required pam_nologin.so no_warn auth required pam_unix.so try_first_pass account required pam_login_access.so account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass ----8<----------- Pretty standard config. As long as I login as root with a key, things work as expected. However, when I login as root without a key I am prompted for the password, and even though I enter the password correctly I am prompted again for a total of 3 times and then it fails. After a bit of trial and error, I finally figured that setting ''PermitRootLogin yes'' lets root login without a key. So it seems to me that when I don't use Key authentication, PAM is invoked, and even though I supply the correct root password I am prompted again and again for a password coz root login is disallowed by SSHD. Strange, coz I was under the impression that as far as PAM is concerned I have successfully authenticated, so shouldn't it have OK-ed me and left SSH to refuse login with some message? Why ask for the password thrice and then refuse? I also tried without the ''no_warn'' option in the pam_unix module. That time I get an error like this after each password input: ----8<----------- pam_unix: pam_sm_authenticate: UNIX authentication refused ----8<----------- Any ideas or nudges in the right direction as to why this is happening? Looks like I've understood the interaction between SSH and PAM wrong here, so would appreciate some enlightenment. Regards, - Rakhesh http://rakhesh.net/