[ale] sshd and PAM

Joe Bayes jbayes at spoo.mminternet.com
Wed Nov 19 14:57:08 EST 2003 

Hi folks,

I have a couple questions. 

First, can anybody point me to some documentation on the pam_stack.so
module? I've figured out that it was added to PAM by RedHat, but I
can't seem to find out anything else about it. 

Second, can anybody give me a clue as to why I can't ssh in to my box
as non-root? Furthermore, why is it that commenting out the line:

session    required     pam_stack.so service=system-auth

in my /etc/pam.d/sshd fixes the problem? I understand that the
"session" keyword has something to do with things to be done prior to
a service being given, but I don't know what pam_stack.so is doing, or
why it's doing it. 

This is on a Fedora Core 1 system, that has been repeatedly upgraded
since RH6 or so (which is probably part of my problem).

Thanks,

Joe


/etc/pam.d/sshd:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
#session    required     pam_limits.so
session    optional     pam_console.so


spoo:~$ ssh -v spoo.mminternet.com
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /home/jbayes/.ssh/config
debug1: /home/jbayes/.ssh/config line 17: Deprecated option "FallBackToRsh"
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to spoo.mminternet.com [216.86.195.37] port 22.
debug1: Connection established.
debug1: identity file /home/jbayes/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'spoo.mminternet.com' is known and matches the RSA1 host key.
debug1: Found key in /home/jbayes/.ssh/known_hosts:2
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication with key '/home/jbayes/.ssh/identity'
debug1: Received RSA challenge from server.
debug1: Sending response to host key RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication accepted by server.
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting shell.
debug1: Entering interactive session.
Connection to spoo.mminternet.com closed by remote host.
Connection to spoo.mminternet.com closed.
debug1: Transferred: stdin 0, stdout 0, stderr 101 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 7121.2
debug1: Exit status -1
spoo:~$ 


/var/log/messages:
Nov 18 16:09:59 spoo sshd(pam_unix)[17100]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=spoo.mminternet.com  user=jbayes
Nov 18 16:10:02 spoo sshd(pam_unix)[17105]: session opened for user jbayes by (uid=500)

/var/log/secure: 
Nov 18 16:10:02 spoo sshd[17100]: Accepted rsa for jbayes from 216.86.195.37 port 52588
Nov 18 16:10:02 spoo sshd[17105]: fatal: PAM session setup failed[6]: Permission denied

--
Joe Bayes -- jbayes at spoo.mminternet.com

More information about the Ale mailing list