[olug] PAM
Matthew G. Marsh
mgm at midwestlinux.com
Thu Feb 6 15:48:07 UTC 2003
On Wed, 5 Feb 2003, William E. Kempf wrote:
>
> > At Wed, 05 Feb 03, Unidentified Flying Banana William E. Kempf, said:
> >> I've got a RedHat 7.1 box on which I think the PAM config files have
> >> been messed up. I suspect this because when I ssh to this box when I
> >> have the clients public key in the servers .ssh/authorized_keys file,
> >> it still asks me for a password. I know the PAM config files have
> >> been modified, but don't know what modifications were done. Is there
> >> any way to return to the originally installed PAM files, or any other
> >> way to go about fixing my problem?
> >
> > I won't claim that this can't be PAM related, but it seems to be that
> > it's more likely a Secure Shell issue.
> >
> > I would suggest doing the following:
> >
> > o Ensure that the ~/.ssh/authorized_keys file on the server is
> > "valid". Check it against the ssh public key, and make sure there
> > are no line breaks or anything like that in it.
>
> I've tried to verify this, and here's a capsule of what I've done.
>
> [wekempf ~]$ rm -rf .ssh/*
> [wekempf ~]$ ssh-keygen -t rsa
> Generating public/private rsa key pair.
> Enter file in which to save the key (/home/wekempf/.ssh/id_rsa):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in /home/wekempf/.ssh/id_rsa.
> Your public key has been saved in /home/wekempf/.ssh/id_rsa.pub.
> The key fingerprint is:
> 2f:97:d7:87:a3:72:35:cf:9c:36:f4:60:79:ec:6d:47 wekempf at client
> [wekempf ~]$ scp .ssh/id_rsa.pub server:mykey
Try: scp .ssh/id_rsa.pub server:~/.ssh/authorized_keys
Any authorized keys must be in a "known" location. The default location
is:
~/.ssh/authorized_keys
man ssh for details.
> The authenticity of host 'server (???.???.???.???)' can't be established.
> RSA key fingerprint is 84:6d:4f:12:8c:0c:9b:97:4f:f0:89:0d:36:b7:6d:e8.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'server,???.???.???.???' (RSA) to the list of
> known
> hosts.
> wekempf at server's password:
> id_rsa.pub 100% |*****************************| 227 00:00
> [wekempf ~]$ ssh csdsvr10
> wekempf at server's password:
> Last login: Wed Feb 5 14:48:39 2003 from client
> [wekempf wekempf]$ rm -rf .ssh/*
> [wekempf wekempf]$ cp mykey .ssh/authorized_keys
> [wekempf wekempf]$ exit
> Connection to server closed.
> [wekempf ~]$ ssh csdsvr10
> wekempf at server's password:
>
> > o Ensure that you are using a matching SSH1 or SSH2 key pair for the
> > right ssh protocol version. An SSH1 key won't work with the SSH2
> > protocol.
>
> OK, I'll claim ignorance here. How do you determine which protocol is
> being used? What I've got above is all I've ever needed to do to use SSH
> on many computers connecting to many servers. This is the first time the
> procedure has ever failed me.
>
> > o Ensure that the ~/.ssh/identity, ~/.ssh/id_dsa, or ~/.ssh/id_rsa
> > file is valid, and matches the authorized_keys entry on the server.
>
> The above should have done this, no?
>
> > o Ensure that the ~/.ssh/identity, ~/.ssh/id_dsa, or ~/.ssh/id_rsa
> > file is not readable, writable, or executable by anyone other than
> > the user that owns it. ssh will ignore it, if it is.
>
> [wekempf ~]$ ls -al .ssh
> total 3
> drwx------+ 2 wekempf mkgroup 0 Feb 5 15:23 ./
> drwxrwx---+ 38 wekempf Administ 0 Feb 5 15:18 ../
> -rw------- 1 wekempf mkgroup 883 Feb 5 15:22 id_rsa
> -rw-r--r-- 1 wekempf mkgroup 227 Feb 5 15:22 id_rsa.pub
> -rw-r--r-- 1 wekempf mkgroup 234 Feb 5 15:23 known_hosts
>
> > o If you're using SSH2, ensure that PubkeyAuthentication is set to yes
> > in /etc/ssh/sshd_config and in /etc/ssh/ssh_config (default is yes,
> > unless changed).
>
> On the client or the server?
>
> > o If you're using SSH1, ensure that RSAAuthentication is set to yes in
> > /etc/ssh/sshd_config and in /etc/ssh/ssh_config (default is yes,
> > unless changed).
>
> On the client or the server?
>
> > o If you need to force ssh to try a specific version of the protocol,
> > you can do it by adding '-1' or '-2' as an option to the ssh command
> > line. Otherwise, ssh will default to the order listed in
> > /etc/ssh_config (from the Protocol option).
>
> Either flag requests a password, though -1 asked me if I wanted to add the
> server to the known list, so I assume I've been using SSH2 this whole
> time.
>
> > o Check /etc/ssh/ssh_config to ensure that, if set,
> > PreferredAuthentications lists 'publickey' before 'password' (this
> > is the default, unless changed).
>
> Unlikely to have been changed. But by this I'm assuming all the others
> were for the server. Let me check them.
>
> OK, PubkeyAuthentication didn't exist in ssh_config at all, and was
> commented out in sshd_config. Setting it to yes in both and restarting
> the sshd daemon didn't help, however.
>
> Here's the original config files:
>
> # $OpenBSD: ssh_config,v 1.12 2002/01/16 17:55:33 stevesk Exp $
>
> # This is the ssh client system-wide configuration file. See ssh(1)
> # for more information. This file provides defaults for users, and
> # the values can be changed in per-user configuration files or on the
> # command line.
>
> # Configuration data is parsed as follows:
> # 1. command line options
> # 2. user-specific file
> # 3. system-wide file
> # Any configuration value is only changed the first time it is set.
> # Thus, host-specific definitions should be at the beginning of the
> # configuration file, and defaults at the end.
>
> # Site-wide defaults for various options
>
> # Host *
> # ForwardAgent no
> # ForwardX11 no
> # RhostsAuthentication yes
> # RhostsRSAAuthentication yes
> # RSAAuthentication yes
> # PasswordAuthentication yes
> # FallBackToRsh no
> # UseRsh no
> # BatchMode no
> # CheckHostIP yes
> # StrictHostKeyChecking ask
> # IdentityFile ~/.ssh/identity
> # IdentityFile ~/.ssh/id_rsa
> # IdentityFile ~/.ssh/id_dsa
> # Port 22
> # Protocol 2,1
> # Cipher 3des
> # Ciphers
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
> 56-cbc
> # EscapeChar ~
> Host *
> ForwardX11 yes
>
> # $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $
>
> # This is the sshd server system-wide configuration file. See sshd(8)
> # for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> #Port 22
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 3600
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 600
> #PermitRootLogin yes
> #StrictModes yes
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # rhosts authentication should not be used
> #RhostsAuthentication no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> # Kerberos options
> # KerberosAuthentication automatically enabled if keyfile exists
> #KerberosAuthentication yes
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> # AFSTokenPassing automatically enabled if k_hasafs() is true
> #AFSTokenPassing yes
>
> # Kerberos TGT Passing only works with the AFS kaserver
> #KerberosTgtPassing no
>
> # Set this to 'yes' to enable PAM keyboard-interactive authentication
> # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
> #PAMAuthenticationViaKbdInt yes
>
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #KeepAlive yes
> #UseLogin no
>
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> #VerifyReverseMapping no
>
> # override default of no subsystems
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
> To the best of my knowledge, these files have never been modified from the
> originals installed.
>
> > See if any of that helps. If not, we can try to dig deeper, or find
> > something PAM related that might be affecting this.
>
> Thanks,
>
> --
> William E. Kempf
> wekempf at cox.net
>
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>
--------------------------------------------------
Matthew G. Marsh, President
Paktronix Systems LLC
1506 North 59th Street
Omaha NE 68104
Phone: (402) 932-7250
Email: mgm at midwestlinux.com
WWW: http://www.midwestlinux.com
--------------------------------------------------
More information about the OLUG
mailing list