From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23631 invoked by uid 1002); 3 May 2003 10:56:49 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 14198 invoked from network); 3 May 2003 10:56:48 -0000 Date: Sat, 3 May 2003 12:56:43 +0200 From: c.wegener@itcampus.de To: gentoo-dev@gentoo.org Message-ID: <20030503105643.GA1807@pbook.polysynx.foo> Mail-Followup-To: gentoo-dev@gentoo.org References: <20030503101613.GA20720@sole.infis.univ.trieste.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030503101613.GA20720@sole.infis.univ.trieste.it> User-Agent: Mutt/1.5.4i Subject: Re: [gentoo-dev] openssh 3.6.1_p2 problem with pam (fwd) X-Archives-Salt: b7962ba3-925e-489e-bd99-8aea4d646f85 X-Archives-Hash: fd20e3703f828400b838e8ccdb934930 I confirm this behaviour. And its not new in 3.6.1_p2. I had this behaviour long before. On Sat, May 03, 2003 at 12:16:13PM +0200, Andrea Barisani wrote: > > Hi folks, I'm having problems with pam and openssh 3.6.1_p2, I've contacted > openssh-dev and I've received some replies, could someone confirm that I am > not the only one to exeprience this problem? > > I'm including my original post to openssh-dev and the reply with a patch. > > What do you think? > > Bye > > ---------------------------------------------------------------------------------------- > > Andrea Barisani wrote: > > > > ----- Forwarded message from Andrea Barisani ----- > > > > Date: Fri, 2 May 2003 14:01:33 +0200 > > From: Andrea Barisani > > To: openssh@openssh.com > > Subject: openssh 3.6.1_p2 problem with pam > > > > Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: > > > > # ssh -l lcars mybox > > [2 seconds delay] > > lcars@mybox's password: > > > > In the logs I have: > > > > May 2 13:57:11 sole sshd(pam_unix)[19663]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=homer.infis.univ.trieste.it user=lcars > > May 2 13:57:13 sole sshd(pam_unix)[19665]: session opened for user lcars by (uid=817) > > > > The first line is logged _before_ sshd prompt the password and that's the > > cause of the delay since I'm not using nodelay option in system-auth. > > > > The second one is logged after I enter the correct password. > > > > I don't suppose that this is a correct beahviour, what do you think? > > > > Thanks a lot. > > > > Bye > > > > > Yes, it's not correct behavior. However, this isn't new to 3.6.1. > Not sure why you're only seeing it now. > > This should help you out: > > --- openssh/auth1.c Sun Feb 23 16:59:27 2003 > +++ openssh/auth1.c Thu May 1 22:27:29 2003 > @@ -80,7 +80,7 @@ > authctxt->valid ? "" : "illegal user ", authctxt->user); > > /* If the user has no password, accept authentication immediately. */ > - if (options.password_authentication && > + if (options.password_authentication && options.permit_empty_passwd && > #if defined(KRB4) || defined(KRB5) > (!options.kerberos_authentication || options.kerberos_or_local_passwd) && > #endif > --- openssh/auth2-none.c Tue Apr 29 02:12:08 2003 > +++ openssh/auth2-none.c Thu May 1 22:27:29 2003 > @@ -100,6 +100,25 @@ > if (check_nt_auth(1, authctxt->pw) == 0) > return(0); > #endif > + > + /* > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + */ > + if (!options.permit_empty_passwd) > + return(0); > + > return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; > } > > ---------------------------------------------------------------------------------------- > > On Sat, May 03, 2003 at 12:24:44AM +0200, Andrea Barisani wrote: > > I suppose that we'll be seeing this patch in the next version, am I right? > > I don't think so. The openssh team has been generally resistant[1] to most > of my pam suggestions. I have stopped submitting them at this point. > > /fc > [1] Not that I fault them for it. PAM is hard to wedge into openssh > nicely. Esp. now with privsep. > > > > -- > gentoo-dev@gentoo.org mailing list > -- gentoo-dev@gentoo.org mailing list