From owner-freebsd-questions@FreeBSD.ORG Tue Sep 25 12:32:06 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26D6016A420 for ; Tue, 25 Sep 2007 12:32:06 +0000 (UTC) (envelope-from news@nermal.rz1.convenimus.net) Received: from mx2.netclusive.de (mx2.netclusive.de [89.110.132.132]) by mx1.freebsd.org (Postfix) with ESMTP id A65DE13C4A8 for ; Tue, 25 Sep 2007 12:32:05 +0000 (UTC) (envelope-from news@nermal.rz1.convenimus.net) Received: from nermal.rz1.convenimus.net (Fdd13.f.ppp-pool.de [195.4.221.19]) (Authenticated sender: ncf1534p2) by mx2.netclusive.de (Postfix) with ESMTP id 78FD1260457 for ; Tue, 25 Sep 2007 14:32:04 +0200 (CEST) Received: by nermal.rz1.convenimus.net (Postfix, from userid 8) id 3C0DE15217; Tue, 25 Sep 2007 14:28:34 +0200 (CEST) To: freebsd-questions@freebsd.org Path: not-for-mail From: Christian Baer Newsgroups: gmane.os.freebsd.questions Date: Tue, 25 Sep 2007 14:28:34 +0200 (CEST) Organization: Convenimus Projekt Lines: 46 Message-ID: References: <20070925150058.J79029@dogmatix.home.rakhesh.com> NNTP-Posting-Host: sunny.rz1.convenimus.net X-Trace: nermal.rz1.convenimus.net 1190723314 95644 192.168.100.5 (25 Sep 2007 12:28:34 GMT) X-Complaints-To: abuse@convenimus.net NNTP-Posting-Date: Tue, 25 Sep 2007 12:28:34 +0000 (UTC) User-Agent: slrn/0.9.8.1 (FreeBSD/6.2-RELEASE-p7 (sparc64)) Subject: Re: Confusion on SSH and PAM X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2007 12:32:06 -0000 On Tue, 25 Sep 2007 15:56:22 +0400 (GST) Rakhesh Sasidharan wrote: > Any ideas or nudges in the right direction as to why this is happening? > Looks like I've understood the interaction between SSH and PAM wrong here, > so would appreciate some enlightenment. I'm not sure if I can offer any enlightenment here, but you can have my 2 cents. :-) When you authenticate yourself with you private key, everything works as you expect. If I understand you correctly, you are confused as to why you still get prompted for a password when you don't supply a key and then even the right password doesn't get you in. This is one of these things with computer logic. :-) You have told the sshd that a root login vai PAM is not ok, only via private key. PAM is activated just the same (and probably works for other users). The login follows a certain order... 1 Ask for username 2 Did we get a key? If not, goto 5 3 Is the key ok? If not, goto 5 4 Let user login, exit authentification 5 Is PAM globally on? If not exit 6 Ask for password 7 Is the password ok? If not goto 6 max 2 times, after that exit 8 Let user login, exit I know, crappy algorithem that remindes of BASIC a bit. In this case it should do the job, though. Please forget that the word "goto" exists in other languages too (even Java). :-) Your problem seems to be from steps 5 to 7. After the authentification by key fails, the sshd just goes to the next step, which is the password. For security reasons, the communication "inside" is a bit brief. PAM only gets the answer "not authenticated" and because the reason isn't an issue, the user is asked for the password again. The point is that the sshd just refuses your login each time, because a password just isn't enough. I have already made up a little something to put this situation into another context (access to an underground club for parties) to maybe make it a little clearer but I think the world has had quite enough of my little stories aready. :-) Regards Chris