[olug] PAM

William E. Kempf wekempf at cox.net
Wed Feb 5 21:39:27 UTC 2003 

> At Wed, 05 Feb 03, Unidentified Flying Banana William E. Kempf, said:
>> I've got a RedHat 7.1 box on which I think the PAM config files have
>> been messed up.  I suspect this because when I ssh to this box when I
>> have the clients public key in the servers .ssh/authorized_keys file,
>> it still asks me for a password.  I know the PAM config files have
>> been modified, but don't know what modifications were done.  Is there
>> any way to return to the originally installed PAM files, or any other
>> way to go about fixing my problem?
>
> I won't claim that this can't be PAM related, but it seems to be that
> it's more likely a Secure Shell issue.
>
> I would suggest doing the following:
>
>   o Ensure that the ~/.ssh/authorized_keys file on the server is
>     "valid".  Check it against the ssh public key, and make sure there
> are no line breaks or anything like that in it.

I've tried to verify this, and here's a capsule of what I've done.

[wekempf ~]$ rm -rf .ssh/*
[wekempf ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wekempf/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/wekempf/.ssh/id_rsa.
Your public key has been saved in /home/wekempf/.ssh/id_rsa.pub.
The key fingerprint is:
2f:97:d7:87:a3:72:35:cf:9c:36:f4:60:79:ec:6d:47 wekempf at client
[wekempf ~]$ scp .ssh/id_rsa.pub server:mykey
The authenticity of host 'server (???.???.???.???)' can't be established.
RSA key fingerprint is 84:6d:4f:12:8c:0c:9b:97:4f:f0:89:0d:36:b7:6d:e8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server,???.???.???.???' (RSA) to the list of
known
hosts.
wekempf at server's password:
id_rsa.pub           100% |*****************************|   227       00:00
[wekempf ~]$ ssh csdsvr10
wekempf at server's password:
Last login: Wed Feb  5 14:48:39 2003 from client
[wekempf wekempf]$ rm -rf .ssh/*
[wekempf wekempf]$ cp mykey .ssh/authorized_keys
[wekempf wekempf]$ exit
Connection to server closed.
[wekempf ~]$ ssh csdsvr10
wekempf at server's password:

>   o Ensure that you are using a matching SSH1 or SSH2 key pair for the
>     right ssh protocol version.  An SSH1 key won't work with the SSH2
> protocol.

OK, I'll claim ignorance here.  How do you determine which protocol is
being used?  What I've got above is all I've ever needed to do to use SSH
on many computers connecting to many servers.  This is the first time the
procedure has ever failed me.

>   o Ensure that the ~/.ssh/identity, ~/.ssh/id_dsa, or ~/.ssh/id_rsa
>     file is valid, and matches the authorized_keys entry on the server.

The above should have done this, no?

>   o Ensure that the ~/.ssh/identity, ~/.ssh/id_dsa, or ~/.ssh/id_rsa
>     file is not readable, writable, or executable by anyone other than
> the user that owns it.  ssh will ignore it, if it is.

[wekempf ~]$ ls -al .ssh
total 3
drwx------+   2 wekempf  mkgroup         0 Feb  5 15:23 ./
drwxrwx---+  38 wekempf  Administ        0 Feb  5 15:18 ../
-rw-------    1 wekempf  mkgroup       883 Feb  5 15:22 id_rsa
-rw-r--r--    1 wekempf  mkgroup       227 Feb  5 15:22 id_rsa.pub
-rw-r--r--    1 wekempf  mkgroup       234 Feb  5 15:23 known_hosts

>   o If you're using SSH2, ensure that PubkeyAuthentication is set to yes
>     in /etc/ssh/sshd_config and in /etc/ssh/ssh_config (default is yes,
> unless changed).

On the client or the server?

>   o If you're using SSH1, ensure that RSAAuthentication is set to yes in
>     /etc/ssh/sshd_config and in /etc/ssh/ssh_config (default is yes,
> unless changed).

On the client or the server?

>   o If you need to force ssh to try a specific version of the protocol,
>     you can do it by adding '-1' or '-2' as an option to the ssh command
> line.  Otherwise, ssh will default to the order listed in
>     /etc/ssh_config (from the Protocol option).

Either flag requests a password, though -1 asked me if I wanted to add the
server to the known list, so I assume I've been using SSH2 this whole
time.

>   o Check /etc/ssh/ssh_config to ensure that, if set,
>     PreferredAuthentications lists 'publickey' before 'password' (this
> is the default, unless changed).

Unlikely to have been changed.  But by this I'm assuming all the others
were for the server.  Let me check them.

OK, PubkeyAuthentication didn't exist in ssh_config at all, and was
commented out in sshd_config.  Setting it to yes in both and restarting
the sshd daemon didn't help, however.

Here's the original config files:

#       $OpenBSD: ssh_config,v 1.12 2002/01/16 17:55:33 stevesk Exp $

# This is the ssh client system-wide configuration file.  See ssh(1)
# for more information.  This file provides defaults for users, and
# the values can be changed in per-user configuration files or on the
# command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication yes
#   RhostsRSAAuthentication yes
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   FallBackToRsh no
#   UseRsh no
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
56-cbc
#   EscapeChar ~
Host *
        ForwardX11 yes

#       $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

To the best of my knowledge, these files have never been modified from the
originals installed.

> See if any of that helps.  If not, we can try to dig deeper, or find
> something PAM related that might be affecting this.

Thanks,

-- 
William E. Kempf
wekempf at cox.net

More information about the OLUG mailing list