Date: Mon, 16 Jul 2001 13:18:27 +0300 From: "Shila Ofek" <shila_ofek@hotmail.com> To: roam@orbitel.bg Cc: security@freebsd.org Subject: Re: OpenSSH UseLogin parameter Message-ID: <F40NYAE4TEdkuCLU8AM00014558@hotmail.com>
next in thread | raw e-mail | index | archive | help
I'm working with OpenSSH-2.2.0 on FreeBSD 4.2, and from a look at the code
it doesn't work with PAM. The only reminder of PAM in the code is in file
auth1.c:
#ifdef HAVE_LIBPAM
int pam_retval;
#endif /* HAVE_LIBPAM */
and that's it...
Should I recompile the SSH daemon with some flag or something, or do I have
the wrong version?
The lines I have in pam.conf are:
sshd auth required pam_radius.so
sshd account optional pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so
Is this OK? Although I'm quite sure it doesn't get to this part at all.
The output I get when I run the daemon with -d is:
[Prompt]sshd -d
debug: sshd version OpenSSH_2.2.0
error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key
Disabling protocol version 2
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from XXX port XXX
Connection from XXX port XXX
debug: Client protocol version 1.5; client software version OpenSSH_2.2.0
debug: Local version string SSH-1.5-OpenSSH_2.2.0
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
Faking authloop for illegal user radtest from XXX port XXX
Thanks,
Shila.
>From: Peter Pentchev <roam@orbitel.bg>
>To: Shila Ofek <shila_ofek@hotmail.com>
>CC: green@freebsd.org, security@freebsd.org
>Subject: Re: OpenSSH UseLogin parameter
>Date: Mon, 16 Jul 2001 12:08:03 +0300
>
>On Mon, Jul 16, 2001 at 11:22:14AM +0300, Shila Ofek wrote:
> > When the ssh user authentication is a password authentication, I want to
>use
> > PAM. It seems that the OpenSsh daemon does not work with PAM, so I
>thought
> > that using the regular login, I will get PAM integration for free.
> > So, is it possible to work with the UseLogin to use the regular login
> > program? What do I have to do to use it properly?
> > Or, is there a possibility, the the OpenSSH daemon will work with PAM
>when
> > it's doing password authentication?
>
>The OpenSSH daemon does work with PAM. Do you have the proper
>configuration
>lines in your /etc/pam.conf file, though? Post the output of:
>
> grep '^sshd' /etc/pam.conf
>
>G'luck,
>Peter
>
>--
>If there were no counterfactuals, this sentence would not have been
>paradoxical.
>
> > >From: "Brian F. Feldman" <green@freebsd.org>
> > >To: "Shila Ofek" <shila_ofek@hotmail.com>
> > >CC: security@freebsd.org
> > >Subject: Re: OpenSSH UseLogin parameter
> > >Date: Thu, 12 Jul 2001 15:59:45 -0400
> > >
> > >"Shila Ofek" <shila_ofek@hotmail.com> wrote:
> > > > Hello,
> > > > I'm trying to get an openssh daemon to work with the regular login,
> > >using
> > > > the UseLogin parameter in the daemon's configuration file.
> > > > But, it doesn't work...
> > > > Does anyone have any experience with this?
> > > >
> > > > Thanks,
> > > > Shila Ofek.
> > >
> > >Why exactly would you want to do this? If there are bugs that you know
> > >about in OpenSSH's login code, they should be reported. OpenSSH is
>meant
> > >to
> > >work without using login, supporting all the functionality login has.
>Let
> > >me know exactly what problems you're having.
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F40NYAE4TEdkuCLU8AM00014558>