Bug 1224136 - PAM pushing garbage onto stack with ssh AuthenticationMethods keyboard-interactive:pam
Summary: PAM pushing garbage onto stack with ssh AuthenticationMethods keyboard-intera...
Status: RESOLVED INVALID
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: E-mail List
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-10 20:07 UTC by David Mulder
Modified: 2024-05-10 20:34 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Mulder 2024-05-10 20:07:44 UTC 
I've configured ssh with:
"""
AuthenticationMethods keyboard-interactive:pam
KbdInteractiveAuthentication yes
UsePAM yes
"""

To permit ssh authentication for my module pam_himmelblau.so which requires multiple interactions (for MFA).

Depending on the length of the password I supply to the ssh password prompt, my pam module gets a repeating pattern of garbage in the authtok supplied by the pam stack.
The garbage authtok looks like this:
"\u{8}\n\r\u{7f}INCORRECT\u{8}\n\r\u{7f}INCORRECT\u{8}\n\r\u{7f}INCORRECT" (repeating)

I tried isolating the problem by creating an sshd specific pam configuration, which only contained my pam module. The problem was the same.

I see the same behavior in both Tumbleweed and 15.5.

I'm not sure if the problem is in pam, ssh, or my own pam module. I found one reference to a similar problem here: https://freeradius-users.freeradius.narkive.com/Tl0u6lab/authentication-request-failed-for-ssh-using-freeradius-server#post7
Which suggests it might be an issue in pam_unix.
Comment 1 David Mulder 2024-05-10 20:09:34 UTC 
I should also point out, there are instances where my pam module only expects a single response (a PIN code after a series of enrollment steps). When my module only requests a single prompt, ssh works fine with this configuration. It only puts garbage onto the pam stack when I'm requesting multiple prompts and displaying messages, etc.
Comment 2 David Mulder 2024-05-10 20:20:57 UTC 
It looks like it's coming from openssh ./auth-pam.c:964 (fake_password)
Comment 3 David Mulder 2024-05-10 20:25:07 UTC 
I believe fake_password is being called by sshpam_auth_passwd, suggesting it thinks that the user is invalid.
Comment 4 David Mulder 2024-05-10 20:28:44 UTC 
May 10 14:27:15 localhost.localdomain sshd[11526]: Invalid user tux@10fp7z.onmicrosoft.com from 192.168.122.1 port 57048
May 10 14:27:15 localhost.localdomain sshd[11526]: Postponed keyboard-interactive for invalid user tux@10fp7z.onmicrosoft.com from 192.168.122.1 port 57048 ssh2 [preauth]
May 10 14:27:18 localhost.localdomain sshd[11528]: pam_unix(sshd:auth): check pass; user unknown
May 10 14:27:22 localhost.localdomain sshd[11526]: error: PAM: Authentication failure for illegal user tux@10fp7z.onmicrosoft.com from 192.168.122.1
May 10 14:27:22 localhost.localdomain sshd[11526]: Failed keyboard-interactive/pam for invalid user tux@10fp7z.onmicrosoft.com from 192.168.122.1 port 57048 ssh2
May 10 14:27:22 localhost.localdomain sshd[11526]: Postponed keyboard-interactive for invalid user tux@10fp7z.onmicrosoft.com from 192.168.122.1 port 57048 ssh2 [preauth]

How does ssh decide if a user is valid??
Comment 5 David Mulder 2024-05-10 20:33:42 UTC 
Oh, I see it now. In openssh ./auth.c getpwnamallow(), if nss doesn't respond with a proper getpwnam for the user, it's considered an invalid user and bails out.

This is a chicken and egg problem for the Himmelblau project. I can't fetch valid information about a user until after the user has authenticated, but ssh won't allow the authentication unless the nss information is valid.
Comment 6 David Mulder 2024-05-10 20:34:07 UTC 
Closing.