Confusion on SSH and PAM

Tue, 25 Sep 2007 04:59:40 -0700 


Hi,
I've spent a fair bit of yesterday and today playing around with this. Have reached some confusing conclusions. 

Here's a snippet from my ''sshd_config'' file:

----8<-----------
PubkeyAuthentication            yes
ChallengeResponseAuthentication yes
PermitRootLogin                 without-password
PasswordAuthentication          no
UsePAM                          yes
----8<-----------
The idea being that I use Public Key authentication. No password authentication. Yes to PAM authentication etc (my understanding is that *if* Public Key auth fails then this is invoked). And root is allowed login using Key authentication. 

Here's the SSHD section for PAM:

----8<-----------
auth      required      pam_nologin.so                  no_warn
auth      required      pam_unix.so                     try_first_pass
account   required      pam_login_access.so
account   required      pam_unix.so
session   required      pam_permit.so
password  required      pam_unix.so                     no_warn try_first_pass
----8<-----------

Pretty standard config.

As long as I login as root with a key, things work as expected.
However, when I login as root without a key I am prompted for the password, and even though I enter the password correctly I am prompted again for a total of 3 times and then it fails.
After a bit of trial and error, I finally figured that setting ''PermitRootLogin yes'' lets root login without a key. So it seems to me that when I don't use Key authentication, PAM is invoked, and even though I supply the correct root password I am prompted again and again for a password coz root login is disallowed by SSHD. Strange, coz I was under the impression that as far as PAM is concerned I have successfully authenticated, so shouldn't it have OK-ed me and left SSH to refuse login with some message? Why ask for the password thrice and then refuse?
I also tried without the ''no_warn'' option in the pam_unix module. That time I get an error like this after each password input: 

----8<-----------
pam_unix: pam_sm_authenticate: UNIX authentication refused
----8<-----------
Any ideas or nudges in the right direction as to why this is happening? Looks like I've understood the interaction between SSH and PAM wrong here, so would appreciate some enlightenment. 

Regards,

                                - Rakhesh
                                http://rakhesh.net/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to