From owner-freebsd-security Mon Jul 16 3:18:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f40.law10.hotmail.com [64.4.15.40]) by hub.freebsd.org (Postfix) with ESMTP id 713C837B401 for ; Mon, 16 Jul 2001 03:18:27 -0700 (PDT) (envelope-from shila_ofek@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 16 Jul 2001 03:18:27 -0700 Received: from 212.25.110.131 by lw10fd.law10.hotmail.msn.com with HTTP; Mon, 16 Jul 2001 10:18:27 GMT X-Originating-IP: [212.25.110.131] From: "Shila Ofek" To: roam@orbitel.bg Cc: security@freebsd.org Subject: Re: OpenSSH UseLogin parameter Date: Mon, 16 Jul 2001 13:18:27 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 16 Jul 2001 10:18:27.0302 (UTC) FILETIME=[A741B060:01C10DE0] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm working with OpenSSH-2.2.0 on FreeBSD 4.2, and from a look at the code it doesn't work with PAM. The only reminder of PAM in the code is in file auth1.c: #ifdef HAVE_LIBPAM int pam_retval; #endif /* HAVE_LIBPAM */ and that's it... Should I recompile the SSH daemon with some flag or something, or do I have the wrong version? The lines I have in pam.conf are: sshd auth required pam_radius.so sshd account optional pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so Is this OK? Although I'm quite sure it doesn't get to this part at all. The output I get when I run the daemon with -d is: [Prompt]sshd -d debug: sshd version OpenSSH_2.2.0 error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key Disabling protocol version 2 debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from XXX port XXX Connection from XXX port XXX debug: Client protocol version 1.5; client software version OpenSSH_2.2.0 debug: Local version string SSH-1.5-OpenSSH_2.2.0 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. Faking authloop for illegal user radtest from XXX port XXX Thanks, Shila. >From: Peter Pentchev >To: Shila Ofek >CC: green@freebsd.org, security@freebsd.org >Subject: Re: OpenSSH UseLogin parameter >Date: Mon, 16 Jul 2001 12:08:03 +0300 > >On Mon, Jul 16, 2001 at 11:22:14AM +0300, Shila Ofek wrote: > > When the ssh user authentication is a password authentication, I want to >use > > PAM. It seems that the OpenSsh daemon does not work with PAM, so I >thought > > that using the regular login, I will get PAM integration for free. > > So, is it possible to work with the UseLogin to use the regular login > > program? What do I have to do to use it properly? > > Or, is there a possibility, the the OpenSSH daemon will work with PAM >when > > it's doing password authentication? > >The OpenSSH daemon does work with PAM. Do you have the proper >configuration >lines in your /etc/pam.conf file, though? Post the output of: > > grep '^sshd' /etc/pam.conf > >G'luck, >Peter > >-- >If there were no counterfactuals, this sentence would not have been >paradoxical. > > > >From: "Brian F. Feldman" > > >To: "Shila Ofek" > > >CC: security@freebsd.org > > >Subject: Re: OpenSSH UseLogin parameter > > >Date: Thu, 12 Jul 2001 15:59:45 -0400 > > > > > >"Shila Ofek" wrote: > > > > Hello, > > > > I'm trying to get an openssh daemon to work with the regular login, > > >using > > > > the UseLogin parameter in the daemon's configuration file. > > > > But, it doesn't work... > > > > Does anyone have any experience with this? > > > > > > > > Thanks, > > > > Shila Ofek. > > > > > >Why exactly would you want to do this? If there are bugs that you know > > >about in OpenSSH's login code, they should be reported. OpenSSH is >meant > > >to > > >work without using login, supporting all the functionality login has. >Let > > >me know exactly what problems you're having. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message