From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-2879-arch-gentoo-dev=gentoo.org@gentoo.org>
Received: (qmail 23631 invoked by uid 1002); 3 May 2003 10:56:49 -0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 14198 invoked from network); 3 May 2003 10:56:48 -0000
Date: Sat, 3 May 2003 12:56:43 +0200
From: c.wegener@itcampus.de
To: gentoo-dev@gentoo.org
Message-ID: <20030503105643.GA1807@pbook.polysynx.foo>
Mail-Followup-To: gentoo-dev@gentoo.org
References: <20030503101613.GA20720@sole.infis.univ.trieste.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030503101613.GA20720@sole.infis.univ.trieste.it>
User-Agent: Mutt/1.5.4i
Subject: Re: [gentoo-dev] openssh 3.6.1_p2 problem with pam (fwd)
X-Archives-Salt: b7962ba3-925e-489e-bd99-8aea4d646f85
X-Archives-Hash: fd20e3703f828400b838e8ccdb934930

I confirm this behaviour. And its not new in 3.6.1_p2. I had this
behaviour long before.

On Sat, May 03, 2003 at 12:16:13PM +0200, Andrea Barisani wrote:
> 
> Hi folks, I'm having problems with pam and openssh 3.6.1_p2, I've contacted
> openssh-dev and I've received some replies, could someone confirm that I am
> not the only one to exeprience this problem?
> 
> I'm including my original post to openssh-dev and the reply with a patch.
> 
> What do you think?
> 
> Bye
> 
> ----------------------------------------------------------------------------------------
> 
> Andrea Barisani wrote:
> > 
> > ----- Forwarded message from Andrea Barisani <lcars@infis.univ.trieste.it> -----
> > 
> > Date: Fri, 2 May 2003 14:01:33 +0200
> > From: Andrea Barisani <lcars@infis.univ.trieste.it>
> > To: openssh@openssh.com
> > Subject: openssh 3.6.1_p2 problem with pam
> > 
> > Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour:
> > 
> > # ssh -l lcars mybox
> > [2 seconds delay]
> > lcars@mybox's password:
> > 
> > In the logs I have:
> > 
> > May  2 13:57:11 sole sshd(pam_unix)[19663]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=homer.infis.univ.trieste.it  user=lcars
> > May  2 13:57:13 sole sshd(pam_unix)[19665]: session opened for user lcars by (uid=817)
> > 
> > The first line is logged _before_ sshd prompt the password and that's the
> > cause of the delay since I'm not using nodelay option in system-auth.
> > 
> > The second one is logged after I enter the correct password.
> > 
> > I don't suppose that this is a correct beahviour, what do you think?
> > 
> > Thanks a lot.
> > 
> > Bye
> > 
> 
> 
> Yes, it's not correct behavior.  However, this isn't new to 3.6.1.
> Not sure why you're only seeing it now.
> 
> This should help you out:
> 
> --- openssh/auth1.c	Sun Feb 23 16:59:27 2003
> +++ openssh/auth1.c	Thu May  1 22:27:29 2003
> @@ -80,7 +80,7 @@
>  	    authctxt->valid ? "" : "illegal user ", authctxt->user);
>  
>  	/* If the user has no password, accept authentication immediately. */
> -	if (options.password_authentication &&
> +	if (options.password_authentication && options.permit_empty_passwd &&
>  #if defined(KRB4) || defined(KRB5)
>  	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
>  #endif
> --- openssh/auth2-none.c	Tue Apr 29 02:12:08 2003
> +++ openssh/auth2-none.c	Thu May  1 22:27:29 2003
> @@ -100,6 +100,25 @@
>  	if (check_nt_auth(1, authctxt->pw) == 0)
>  		return(0);
>  #endif
> +
> +	/*
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 * REDACTED
> +	 */
> +	if (!options.permit_empty_passwd)
> +		return(0);
> +
>  	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
>  }
> 
> ----------------------------------------------------------------------------------------
> 
> On Sat, May 03, 2003 at 12:24:44AM +0200, Andrea Barisani wrote:
> > I suppose that we'll be seeing this patch in the next version, am I right?
> 
> I don't think so.  The openssh team has been generally resistant[1] to most
> of my pam suggestions.  I have stopped submitting them at this point.
> 
> /fc
> [1] Not that I fault them for it.  PAM is hard to wedge into openssh
> nicely.  Esp. now with privsep.
> 
> 
> 
> --
> gentoo-dev@gentoo.org mailing list
> 


--
gentoo-dev@gentoo.org mailing list