Date: Tue, 25 Sep 2007 14:28:34 +0200 (CEST) From: Christian Baer <christian.baer@uni-dortmund.de> To: freebsd-questions@freebsd.org Subject: Re: Confusion on SSH and PAM Message-ID: <fdauti$2tcs$4@nermal.rz1.convenimus.net> References: <20070925150058.J79029@dogmatix.home.rakhesh.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Sep 2007 15:56:22 +0400 (GST) Rakhesh Sasidharan wrote: > Any ideas or nudges in the right direction as to why this is happening? > Looks like I've understood the interaction between SSH and PAM wrong here, > so would appreciate some enlightenment. I'm not sure if I can offer any enlightenment here, but you can have my 2 cents. :-) When you authenticate yourself with you private key, everything works as you expect. If I understand you correctly, you are confused as to why you still get prompted for a password when you don't supply a key and then even the right password doesn't get you in. This is one of these things with computer logic. :-) You have told the sshd that a root login vai PAM is not ok, only via private key. PAM is activated just the same (and probably works for other users). The login follows a certain order... 1 Ask for username 2 Did we get a key? If not, goto 5 3 Is the key ok? If not, goto 5 4 Let user login, exit authentification 5 Is PAM globally on? If not exit 6 Ask for password 7 Is the password ok? If not goto 6 max 2 times, after that exit 8 Let user login, exit I know, crappy algorithem that remindes of BASIC a bit. In this case it should do the job, though. Please forget that the word "goto" exists in other languages too (even Java). :-) Your problem seems to be from steps 5 to 7. After the authentification by key fails, the sshd just goes to the next step, which is the password. For security reasons, the communication "inside" is a bit brief. PAM only gets the answer "not authenticated" and because the reason isn't an issue, the user is asked for the password again. The point is that the sshd just refuses your login each time, because a password just isn't enough. I have already made up a little something to put this situation into another context (access to an underground club for parties) to maybe make it a little clearer but I think the world has had quite enough of my little stories aready. :-) Regards Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fdauti$2tcs$4>