|
Bugzilla – Full Text Bug Listing |
| Summary: | PAM pushing garbage onto stack with ssh AuthenticationMethods keyboard-interactive:pam | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | David Mulder <david.mulder> |
| Component: | Other | Assignee: | E-mail List <screening-team-bugs> |
| Status: | RESOLVED INVALID | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | ||
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
I should also point out, there are instances where my pam module only expects a single response (a PIN code after a series of enrollment steps). When my module only requests a single prompt, ssh works fine with this configuration. It only puts garbage onto the pam stack when I'm requesting multiple prompts and displaying messages, etc. It looks like it's coming from openssh ./auth-pam.c:964 (fake_password) I believe fake_password is being called by sshpam_auth_passwd, suggesting it thinks that the user is invalid. May 10 14:27:15 localhost.localdomain sshd[11526]: Invalid user tux@10fp7z.onmicrosoft.com from 192.168.122.1 port 57048 May 10 14:27:15 localhost.localdomain sshd[11526]: Postponed keyboard-interactive for invalid user tux@10fp7z.onmicrosoft.com from 192.168.122.1 port 57048 ssh2 [preauth] May 10 14:27:18 localhost.localdomain sshd[11528]: pam_unix(sshd:auth): check pass; user unknown May 10 14:27:22 localhost.localdomain sshd[11526]: error: PAM: Authentication failure for illegal user tux@10fp7z.onmicrosoft.com from 192.168.122.1 May 10 14:27:22 localhost.localdomain sshd[11526]: Failed keyboard-interactive/pam for invalid user tux@10fp7z.onmicrosoft.com from 192.168.122.1 port 57048 ssh2 May 10 14:27:22 localhost.localdomain sshd[11526]: Postponed keyboard-interactive for invalid user tux@10fp7z.onmicrosoft.com from 192.168.122.1 port 57048 ssh2 [preauth] How does ssh decide if a user is valid?? Oh, I see it now. In openssh ./auth.c getpwnamallow(), if nss doesn't respond with a proper getpwnam for the user, it's considered an invalid user and bails out. This is a chicken and egg problem for the Himmelblau project. I can't fetch valid information about a user until after the user has authenticated, but ssh won't allow the authentication unless the nss information is valid. Closing. |
I've configured ssh with: """ AuthenticationMethods keyboard-interactive:pam KbdInteractiveAuthentication yes UsePAM yes """ To permit ssh authentication for my module pam_himmelblau.so which requires multiple interactions (for MFA). Depending on the length of the password I supply to the ssh password prompt, my pam module gets a repeating pattern of garbage in the authtok supplied by the pam stack. The garbage authtok looks like this: "\u{8}\n\r\u{7f}INCORRECT\u{8}\n\r\u{7f}INCORRECT\u{8}\n\r\u{7f}INCORRECT" (repeating) I tried isolating the problem by creating an sshd specific pam configuration, which only contained my pam module. The problem was the same. I see the same behavior in both Tumbleweed and 15.5. I'm not sure if the problem is in pam, ssh, or my own pam module. I found one reference to a similar problem here: https://freeradius-users.freeradius.narkive.com/Tl0u6lab/authentication-request-failed-for-ssh-using-freeradius-server#post7 Which suggests it might be an issue in pam_unix.