topic sshd_config "UsePAM yes" problem in Operating System - HP-UX

sshd_config "UsePAM yes" problem

support_5 — Wed, 13 Oct 2004 01:33:44 GMT

Hi all,

I have an 11i box with HP-UX secure shell 3.81 installed and am having trouble getting some authentication working.

when I am logged in on box A (as my own userid), and run "ssh root@boxb", I get prompted for the password, I enter it but get this output and cannot log in:
Password:
Last successful login for root: Wed Oct 13 11:33:52 EST-10EDT 2004 on pts/0
Last unsuccessful login for root: Wed Oct 13 11:40:36 EST-10EDT 2004

Last login: Wed Oct 13 16:25:40 2004 from boxa.workcover
Connection to boxb closed.

Furthermore, if I am logged in as root and run "ssh root@boxb", I get in fine, however I have set up keys so I don't need to type in a password to log in when ssh'ing from root.

One other thing, the syslog file on the ssh server shows this:
Oct 13 16:26:01 dunk sshd[2720]: Accepted keyboard-interactive/pam for root from 172.xx.x.x port 54
477 ssh2

so it's accepting the password, but why does it kick me out?

Now, one other thing to note is that if I change the "UsePAM yes" option in the sshd_config file to "UsePAM no" (and restart sshd), this whole problem goes away. But why would making this "yes" make logins fail? On all my other boxes, I have UsePAM yes set and I have no problems logging in on them! (although they use secsh 3.71, not 3.81 as this new box does).

Can anyone shed some light on this issue and let me know what's going wrong?

Much appreciated.

-Andy

Re: sshd_config "UsePAM yes" problem

Michael Selvesteen_2 — Wed, 13 Oct 2004 02:31:52 GMT

Hi,

From your problem statement it seems, when you login with your id and run "ssh root@boxb" you are prompted for Pam Password prompt. When you provide correct password the Pam authentication succeeds but the problem starts when SSH tries to allocate tty.

To analyse this issue deep, run the server and client in debug mode.

www.snailbook.com/faq/general-debugging.auto.html

Post the both the logs.

Re: sshd_config "UsePAM yes" problem

support_5 — Wed, 13 Oct 2004 19:40:21 GMT

Hi,

Yes, it's strange that immediately after PAM authenticates, that it fails. But it's interesting that if we bypass PAM by using ssh keys for authentication, then it works fine.

Anyway, I've attached the logs. (both logs for the client and server are in the one file.)

- Andrew

Re: sshd_config "UsePAM yes" problem

Tyler Easterling_1 — Wed, 13 Oct 2004 19:55:37 GMT

Hi Andy,

Are your PAM configs different on hosta? I'd also look at /etc/default/security to ensure root login is allowed. Is your sshd set-up to use login?

Tyler

Re: sshd_config "UsePAM yes" problem

support_5 — Wed, 13 Oct 2004 20:33:27 GMT

Hi,

Thanks for the suggestions so far. I compared the /etc/pam.conf files and they are identical. I compared the /opt/ssh/etc/sshd_config files to see if there were any differences, and they were identical except for one line which the other server which has ssh working properly has which is: "GSSAPIAuthentication no" in its sshd_config file. I don't think that's enough to cause our problems though.

I don't know what you are specifically meaning when you say "is ssh setup to use login"? Can you elaborate please?

Any other suggestions?

Thanks heaps!

- Andy Gray

Re: sshd_config "UsePAM yes" problem

support_5 — Wed, 13 Oct 2004 20:37:37 GMT

Oh yeah, I checked the /etc/default/security file but it didn't exist on either of these servers.

Thanks again.

- Andy

Re: sshd_config "UsePAM yes" problem

Andrew Cowan — Thu, 14 Oct 2004 01:46:04 GMT

Andy,

Has your password expired, account-locked, or you have remote logins denied? SSH will refuse to log you in if any of this conditions are true.

Re: sshd_config "UsePAM yes" problem

Andrew Cowan — Thu, 14 Oct 2004 01:48:30 GMT

Another thought, do you have anything strange in your ".profile" or "/etc/profile". I had a problem recently with "who" in my "profile" and it was failing because there was no tty defined when running "su -c"

Re: sshd_config "UsePAM yes" problem

support_5 — Thu, 14 Oct 2004 01:54:55 GMT

I don't think that is the problem. As I mentioned above, if I change the "usePAM yes" option to "usePAM no", then logins work fine. Also, logins work fine when I have ssh keys shared (so that I don't have to enter a password). That is why I wondered why changing usePAM to no would suddenly enable me to login, whereas otherwise it wouldn't allow me to login (with the usePAM yes option).

So it's very strange. It would appear that PAM is failing somewhere, but as I mentioned above, in the syslog, it says that PAM has authenticated the user, and this can be further seen by the fact that I get information about last successful and unsuccessful logins for root when I try logging in. Obviously, it only gives me that if I have already somehow successfully logged in. Someone pointed out that it was perhaps dying whilst trying to allocate a tty or something. This seems likely, but I don't know why turning PAM authentication off would suddenly make logging in work!

Know what I mean?

Anyone have other ideas? Thanks heaps!

- Andy

Re: sshd_config "UsePAM yes" problem

support_5 — Thu, 14 Oct 2004 01:59:38 GMT

Oh, also, the account isn't locked (because I can log in when root from other servers because I have shared ssh keys, so it's passwordless logins). There is nothing bogus in the .profile, and I removed it and tested it just in case, same problem. Also, an "su -" from a normal user on the box works fine.

Thanks again

- Andy

Re: sshd_config "UsePAM yes" problem

Andrew Cowan — Thu, 14 Oct 2004 02:12:00 GMT

I have had a problem on AIX with logging-in via SSH when PAM is in use. That was caused by a syntax error in the "pam.conf"? file. From memory one of the "required" modules was missing.

Have you checked that both versions of SSH were compiled with "usePAM=yes", and that there are no patches kicking around?

Re: sshd_config "UsePAM yes" problem

support_5 — Thu, 14 Oct 2004 17:45:16 GMT

Well, I don't really know what specific patch fixed it, but after applying the June 2004 HP-UX 11.i patch bundle, logins seem to be working fine now.

Hate to admit that it was a patching issue. grrrr.

Anyway, thank you for your input.

- Andy Gray