Re: Probem with openssh and pam modules
You need to turn off UsePrivilegeSeparation in your /etc/ssh/sshd_config file. "UsePrivilegeSeparation no" Cheers. On Wed, 2002-10-02 at 16:00, Alexis Sukrieh wrote: > Hello there :) > > I run debian unstable. > > I've just upgraded to the latest ssh package and I cannot connect to my box > anymor using ssh. > I've set up telnet to test it and it works fine with telnet. > > First, here is the output when user try to connect to the box : > > > poseidon:/home/sukria/dev/debian/openssh-3.4p1# ssh sukria@localhost > sukria@localhost's password: > Connection to localhost closed by remote host. > Connection to localhost closed. > poseidon:/home/sukria/dev/debian/openssh-3.4p1# > _ > > > It appears to be a PAM related problem : > Indeed the password authentification is OK, but the system reject the user > after seeing that his pass is right : > if I run sshd in debug mode, I can see this error message > _ > > sshd -d > [...] > debug1: userauth-request for user sukria service ssh-connection method password > debug1: attempt 2 failures 2 > debug1: PAM Password authentication accepted for user "sukria" > Accepted password for sukria from 81.1.38.34 port 33095 ssh2 > [...] > debug1: session_input_channel_req: session 0 req shell > debug1: PAM setting tty to "/dev/pts/2" > PAM session setup failed[28]: Module is unknown > > > Does anyone knows how I can solve that problem ?? > > I've tuned /etc/hosts.deny and /etc/hosts.allow... and again, telnet > conection are working fine... > > Thanks a lot for any help. > > Alexis. > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: This is a digitally signed message part
Re: Probem with openssh and pam modules
You're right, it was set to yes but after putting it to 'no', the same problem is still there... At 16:11 02/10/2002 +0200, you wrote: >You need to turn off UsePrivilegeSeparation >in your /etc/ssh/sshd_config file. > >"UsePrivilegeSeparation no" Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> . homepage - [http://sukria.net] . clef PGP - [http://sukria.net/print.php?c=privacy] . mydynaweb - [http://www.mydynaweb.net] __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
Kill your sshd. Run it in debugging mode (it will not fork a process): # sshd -ddd Open another window, now run the client in verbose mode: $ ssh -vvv user@host Then email us the output. :) Otherwise, this is really difficult to troubleshoot. -Anne This one time, Alexis Sukrieh wrote: > You're right, it was set to yes but after putting it to 'no', the same > problem is still there... > > At 16:11 02/10/2002 +0200, you wrote: > >You need to turn off UsePrivilegeSeparation > >in your /etc/ssh/sshd_config file. > > > >"UsePrivilegeSeparation no" > > > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07142/pgp0.pgp Description: PGP signature
Re: Probem with openssh and pam modules
here is the full output ( I've turned UsePrivilegeSeparation to "no" ) ___ poseidon:~# sshd -ddd debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-2 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 32989 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-2 debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received WARNING: /etc/ssh/moduli does not exist, using old modulus debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 131/256 debug1: bits set: 486/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 531/1024 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user sukria service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for sukria debug1: Starting up PAM with username "sukria" debug3: Trying to reverse map address 127.0.0.1. debug1: PAM setting rhost to "poseidon" debug2: input_userauth_request: try method none Failed none for sukria from 127.0.0.1 port 32989 ssh2 debug1: userauth-request for user sukria service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=sukria devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for sukria from 127.0.0.1 port 32989 ssh2 debug1: userauth-request for user sukria service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_request: try method password debug1: PAM Password authentication accepted for user "sukria" debug2: pam_acct_mgmt() = 0 Accepted password for sukria from 127.0.0.1 port 32989 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 3 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_chann
Re: Probem with openssh and pam modules
Hi there, This might provide a clue: debug1: PAM setting tty to "/dev/pts/3" PAM session setup failed[28]: Module is unknown -Anne This one time, Alexis Sukrieh wrote: > here is the full output > > ( I've turned UsePrivilegeSeparation to "no" ) > > > ___ > poseidon:~# sshd -ddd > debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-2 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Server will not fork when running in debugging mode. > Connection from 127.0.0.1 port 32989 > debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 > Debian 1:3.4p1-2 > debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] > debug2: kex_parse_kexinit: > >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] > debug2: kex_parse_kexinit: > >aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > WARNING: /etc/ssh/moduli does not exist, using old modulus > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: dh_gen_key: priv key bits set: 131/256 > debug1: bits set: 486/1024 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: bits set: 531/1024 > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user sukria service ssh-connection method none > debug1: attempt 0 failures 0 > debug2: input_userauth_request: setting up authctxt for sukria > debug1: Starting up PAM with username "sukria" > debug3: Trying to reverse map address 127.0.0.1. > debug1: PAM setting rhost to "poseidon" > debug2: input_userauth_request: try method none > Failed none for sukria from 127.0.0.1 port 32989 ssh2 > debug1: userauth-request for user sukria service ssh-connection method > keyboard-interactive > debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method keyboard-interactive > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=sukria devs= > debug1: kbdint_alloc: devices '' > debug2: auth2_challenge_start: devices > Failed keyboard-interactive for sukria from 127.0.0.1 port 32989 ssh2 > debug1: userauth-request for user sukria service ssh-connection method > password > debug1: attempt 2 failures 2 > debug2: input_userauth_request: try method password > debug1: PAM Password authentication accepted for user "sukria" > debug2: pam_acct_mgmt() = 0 > Accepted password for sukria from 127.0.0.1 port 32989 ssh2 > debug1: Entering interactive session for SSH2. > debug1: fd 3 setting O_NONBLOCK > debug1: fd 8 setting O_NONBLOCK > debug1: server_init_dispatch_20 > debug1: server_input_channel_open:
Re: Probem with openssh and pam modules
Hehe :) yes, but before mailing here, I've supposed that there was a missing packagedependance in unstable and I look for pam* stuff. I found those ones libpam-modules - Pluggable Authentication Modules for PAM libpam0g - Pluggable Authentication Modules library and I installed it. I also installed libpam-cracklib - PAM module to enable cracklib support. but nothing changed... I really don't see what to do ... At 07:41 02/10/2002 -0700, you wrote: >Hi there, > >This might provide a clue: > debug1: PAM setting tty to "/dev/pts/3" > PAM session setup failed[28]: Module is unknown > >-Anne Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> . homepage - [http://sukria.net] . clef PGP - [http://sukria.net/print.php?c=privacy] . mydynaweb - [http://www.mydynaweb.net] __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
did you check all module invoked in /etc/pam.d/ssh can be found in /lib/security/ ? c++, Tonio En réponse à Anne Carasik <[EMAIL PROTECTED]>: > Hi there, > > This might provide a clue: > debug1: PAM setting tty to \"/dev/pts/3\" > PAM session setup failed[28]: Module is unknown > > -Anne > > This one time, Alexis Sukrieh wrote: > > here is the full output > > > > ( I\'ve turned UsePrivilegeSeparation to \"no\" ) > > > > > > ___ > > poseidon:~# sshd -ddd > > debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-2 > > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > > debug1: read PEM private key done: type RSA > > debug1: private host key: #0 type 1 RSA > > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > > debug1: read PEM private key done: type DSA > > debug1: private host key: #1 type 2 DSA > > debug1: Bind to port 22 on 0.0.0.0. > > Server listening on 0.0.0.0 port 22. > > debug1: Server will not fork when running in debugging mode. > > Connection from 127.0.0.1 port 32989 > > debug1: Client protocol version 2.0; client software version > OpenSSH_3.4p1 > > Debian 1:3.4p1-2 > > debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* > > Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2 > > debug1: list_hostkey_types: ssh-rsa,ssh-dss > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1- 96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1- 96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1- 96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1- 96,hmac-md5-96 > > debug2: kex_parse_kexinit: none > > debug2: kex_parse_kexinit: none > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_init: found hmac-md5 > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug2: mac_init: found hmac-md5 > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > > WARNING: /etc/ssh/moduli does not exist, using old modulus > > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > > debug1: dh_gen_key: priv key bits set: 131/256 > > debug1: bits set: 486/1024 > > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > > debug1: bits set: 531/1024 > > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > > debug1: kex_derive_keys > > debug1: newkeys: mode 1 > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: waiting for SSH2_MSG_NEWKEYS > > debug1: newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: KEX done > > debug1: userauth-request for user sukria service ssh-connection method > none > > debug1: attempt 0 failures 0 > > debug2: input_userauth_request: setting up authctxt for sukria > > debug1: Starting up PAM with username \"sukria\" > > debug3: Trying to reverse map address 127.0.0.1. > > debug1: PAM setting rhost to \"poseidon\" > > debug2: input_userauth_request: try method none > > Failed none for sukria from 127.0.0.1 port 32989 ssh2 > > debug1: userauth-request for user sukria service ssh-connection method > > > keyboard-interactive > > debug1: attempt 1 failures 1 > > debug2: input_userauth_request: try method keyboard-interactive > > debug1: keyboard-interactive devs > > debug1: auth2_challenge: user=sukria devs= > > debug1: kbdint_alloc: devices \'\' > > debug2: auth2_challenge_start: devices > > Failed keyboard-interactive for sukria from 127.0.0.1 port 32989 > ssh2 > > debug1: userauth-request for user sukria service ssh-connection method > > > password > > debug1: attempt 2 failures
Re: Probem with openssh and pam modules
Hi Alexis, Did you setup /etc/pam.d/ssh? -Anne This one time, Alexis Sukrieh wrote: > Hehe :) > > yes, but before mailing here, I've supposed that there was a missing > packagedependance in unstable and I look for pam* stuff. > > I found those ones > > libpam-modules - Pluggable Authentication Modules for PAM > libpam0g - Pluggable Authentication Modules library > > and I installed it. > > I also installed > libpam-cracklib - PAM module to enable cracklib support. > > but nothing changed... > > I really don't see what to do ... > > At 07:41 02/10/2002 -0700, you wrote: > >Hi there, > > > >This might provide a clue: > > debug1: PAM setting tty to "/dev/pts/3" > > PAM session setup failed[28]: Module is unknown > > > >-Anne > > > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07147/pgp0.pgp Description: PGP signature
Re: Probem with openssh and pam modules
At 16:56 02/10/2002 +0200, [EMAIL PROTECTED] wrote: >did you check all module invoked in /etc/pam.d/ssh can be found >in /lib/security/ ? Yes it can be found. here, take a look : __ poseidon:/etc/pam.d# cat /etc/pam.d/ssh #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] accountrequired pam_unix.so sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard noenv # [1] sessionrequired pam_limits.so password required pam_unix.so # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. # You will need to comment out the password line above and # uncomment the next two in order to use this. # # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5 poseidon:/etc/pam.d# ls /lib/security/ pam_access.sopam_filter.so pam_lastlog.sopam_motd.so pam_rootok.so pam_time.so pam_unix_session.so pam_cracklib.so pam_ftp.so pam_limits.so pam_nologin.so pam_securetty.so pam_unix.so pam_userdb.so pam_debug.so pam_group.so pam_listfile.so pam_permit.so pam_shells.so pam_unix_acct.sopam_warn.so pam_deny.so pam_issue.so pam_mail.so pam_pwdfile.so pam_stress.so pam_unix_auth.sopam_wheel.so pam_env.so pam_krb5.sopam_mkhomedir.so pam_rhosts_auth.so pam_tally.so pam_unix_passwd.so poseidon:/etc/pam.d# Everthing is there... Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> . homepage - [http://sukria.net] . clef PGP - [http://sukria.net/print.php?c=privacy] . mydynaweb - [http://www.mydynaweb.net] __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
since openssh v3.3 was released, I never got it to work well with PAM. I think it has something to do with privilege separation, whereby the listening daemon is unable to use PAM due to insufficient privileges, since it is running as an unprivileged user. Is PAMAuthenticationViaKbdInt enabled? Try disabling just that. From README.Debian in /usr/share/doc/ssh: "Unfortunately, privilege separation interacts badly with PAM. Any PAM session modules that need to run as root (pam_mkhomedir, for example) will fail, and PAM keyboard-interactive authentication won't work." Bye Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
At 17:25 02/10/2002 +0200, Giacomo Mulas wrote: > since openssh v3.3 was released, I never got it to work well with >PAM. I think it has something to do with privilege separation, whereby >the listening daemon is unable to use PAM due to insufficient privileges, >since it is running as an unprivileged user. Is PAMAuthenticationViaKbdInt >enabled? Try disabling just that. From README.Debian in >/usr/share/doc/ssh: Well, again it is not the solution for me ! It is yet turned off is this a common problem ??? I'm surprised in the way that every intelligent solutions you all provide to me are ineffectvie... is the ssh package young in the unstable branch ? Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> . homepage - [http://sukria.net] . clef PGP - [http://sukria.net/print.php?c=privacy] . mydynaweb - [http://www.mydynaweb.net] __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
This one time, Alexis Sukrieh wrote: > Well, again it is not the solution for me ! > It is yet turned off Hmmm.. not sure. > is this a common problem ??? I'm surprised in the way that every > intelligent solutions you all provide to me are ineffectvie... Hmmm.. try apt-get remove --purge openssh and reinstall it after you get PAM working. > is the ssh package young in the unstable branch ? I haven't had any problems, but it is unstable after all ;) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07151/pgp0.pgp Description: PGP signature
Re: Probem with openssh and pam modules
Am Mittwoch, 2. Oktober 2002 17:01 schrieb Alexis Sukrieh: > At 16:56 02/10/2002 +0200, [EMAIL PROTECTED] wrote: > >did you check all module invoked in /etc/pam.d/ssh can be found > >in /lib/security/ ? > > Yes it can be found. > > here, take a look : Hi, just a guess: What about disabling all "session"-entries except the first in the /etc/pam.d/shh like this: auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] accountrequired pam_unix.so sessionrequired pam_unix.so #sessionoptional pam_lastlog.so # [1] #sessionoptional pam_motd.so # [1] #sessionoptional pam_mail.so standard noenv # [1] #sessionrequired pam_limits.so password required pam_unix.so Well, the debug-msg says something about a failed session >> debug1: PAM setting tty to "/dev/pts/3" >> PAM session setup failed[28]: Module is unknown another guess: maybe the kernel has no support for the pseudo-terminal pty or the /dev/pty-filesystem compiled in? HTH, Marcus > __ > poseidon:/etc/pam.d# cat /etc/pam.d/ssh > #%PAM-1.0 > auth required pam_nologin.so > auth required pam_unix.so > auth required pam_env.so # [1] > > accountrequired pam_unix.so > > sessionrequired pam_unix.so > sessionoptional pam_lastlog.so # [1] > sessionoptional pam_motd.so # [1] > sessionoptional pam_mail.so standard noenv # [1] > sessionrequired pam_limits.so > > password required pam_unix.so > > # Alternate strength checking for password. Note that this > # requires the libpam-cracklib package to be installed. > # You will need to comment out the password line above and > # uncomment the next two in order to use this. > # > # password required pam_cracklib.so retry=3 minlen=6 difok=3 > # password required pam_unix.so use_authtok nullok md5 > > poseidon:/etc/pam.d# ls /lib/security/ > pam_access.sopam_filter.so pam_lastlog.sopam_motd.so > pam_rootok.so pam_time.so pam_unix_session.so > pam_cracklib.so pam_ftp.so pam_limits.so pam_nologin.so > pam_securetty.so pam_unix.so pam_userdb.so > pam_debug.so pam_group.so pam_listfile.so pam_permit.so > pam_shells.so pam_unix_acct.sopam_warn.so > pam_deny.so pam_issue.so pam_mail.so pam_pwdfile.so > pam_stress.so pam_unix_auth.sopam_wheel.so > pam_env.so pam_krb5.sopam_mkhomedir.so pam_rhosts_auth.so > pam_tally.so pam_unix_passwd.so > poseidon:/etc/pam.d# > > > Everthing is there... > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
And the winner is . > just a guess: > What about disabling all "session"-entries except the first in the > /etc/pam.d/shh like this: Marcus !! Wünderbar ! :) It works when I disable other session entries. Thanks a lot to all of you, I'm really happy to come back to ssh (telnet sucks !) > auth required pam_nologin.so > auth required pam_unix.so > auth required pam_env.so # [1] > accountrequired pam_unix.so > sessionrequired pam_unix.so > #sessionoptional pam_lastlog.so # [1] > #sessionoptional pam_motd.so # [1] > #sessionoptional pam_mail.so standard noenv # [1] > #sessionrequired pam_limits.so > password required pam_unix.so > -- ___ Alexis Sukrieh, <[EMAIL PROTECTED]> Web : http://www.sukria.net ___ signature.asc Description: This is a digitally signed message part
Re: Probem with openssh and pam modules
Correct me if I'm wrong, but don't we expect people who run unstable to diagnoseproblems themselves? If they can't they should be running stable or at least testing? Unstable is not just a name... Lupe Christoph On Wednesday, 2002-10-02 at 09:44:38 -0700, Anne Carasik wrote: > This one time, Alexis Sukrieh wrote: > > Well, again it is not the solution for me ! > > It is yet turned off > Hmmm.. not sure. > > is this a common problem ??? I'm surprised in the way that every > > intelligent solutions you all provide to me are ineffectvie... > Hmmm.. try apt-get remove --purge openssh and reinstall it > after you get PAM working. > > is the ssh package young in the unstable branch ? > I haven't had any problems, but it is unstable after all ;) > -Anne > -- > .-"".__."``". Anne Carasik, System Administrator > .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu > (O/ O) \-' ` -="""=.', Center for Advanced Computing Research > ~`~~ --- Also sprach Anne Carasik --- -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
This one time, Lupe Christoph wrote: > Correct me if I'm wrong, but don't we expect people who run unstable to > diagnoseproblems themselves? If they can't they should be running stable > or at least testing? I think there's nothing wrong with helping someone out, no matter which group they're running. Why should it matter? Isn't this mailing list called debian-security? Not debian-security-stable. > Unstable is not just a name... Neither is testing nor stable :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg07172/pgp0.pgp Description: PGP signature
Re: Probem with openssh and pam modules
On Wed, 2002-10-02 at 21:13, Lupe Christoph wrote: > Correct me if I'm wrong, but don't we expect people who run unstable to > diagnoseproblems themselves? If they can't they should be running stable > or at least testing? Excuse me sir ! But well, if I run unstable and I find a strange problem with such an important package, I have to tell the debian community. I think that's one of the purpose of that mailing-list : knowing problems coming with the packages. And, I was diagnosing my problems ! I was not just waiting for the solution, I was working with all people who helped me. And I thank them very much. If tomorow, an other imortant issue comes up to me with a debian package, I'll do it again. That's what debian mailing-list are for : communicating ! > Unstable is not just a name... No, it's a way of life |-) -- ___ Alexis Sukrieh, <[EMAIL PROTECTED]> Web : http://www.sukria.net ___ signature.asc Description: This is a digitally signed message part
Re: Probem with openssh and pam modules
Am Mittwoch, 2. Oktober 2002 22:38 schrieb Alexis Sukrieh: > And the winner is . > > > just a guess: > > What about disabling all "session"-entries except the first in the > > /etc/pam.d/shh like this: > > Marcus !! > > Wünderbar ! :) :-) > It works when I disable other session entries. > Thanks a lot to all of you, I'm really happy to come back to ssh (telnet > sucks !) Okay, you might also want to enable the session-modules one-after-one, so can track down, which of them exactly fails, or if all of them fail... Regards, Marcus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
On Wed, Oct 02, 2002 at 11:13:06PM +0200, Lupe Christoph wrote: > Correct me if I'm wrong, but don't we expect people who run unstable to > diagnoseproblems themselves? No, we don't. We hope people running unstable report any problems they run into, so that information can be used to improve Debian, and hopefully prevent others from running into the same problem with a future version of the package. (I'm not a Debian developer, so I hope I haven't been presumptuous in saying "we".) There are lots of people who can make useful bug reports or mailing list posts about problems they run into who don't have the time or the inclination to fix every problem they find. > If they can't they should be running stable > or at least testing? Anyone who is willing to deal with problems should run unstable to help test it, so that it can go into testing, and later become stable. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
On Wed, Oct 02, 2002 at 11:32:10PM +, Alexis Sukrieh wrote: > But well, if I run unstable and I find a strange problem with such an > important package, I have to tell the debian community. I think that's > one of the purpose of that mailing-list : knowing problems coming with the > packages. Yes, that is reasonable, and there are mailing lists for that (such as debian-user), but debian-security is not such a list. The fact that this problem happened to be in ssh does not make it a matter of system security. The same could be said of many threads on this list. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Probem with openssh and pam modules
You need to turn off UsePrivilegeSeparation in your /etc/ssh/sshd_config file. "UsePrivilegeSeparation no" Cheers. On Wed, 2002-10-02 at 16:00, Alexis Sukrieh wrote: > Hello there :) > > I run debian unstable. > > I've just upgraded to the latest ssh package and I cannot connect to my box > anymor using ssh. > I've set up telnet to test it and it works fine with telnet. > > First, here is the output when user try to connect to the box : > > > poseidon:/home/sukria/dev/debian/openssh-3.4p1# ssh [EMAIL PROTECTED] > [EMAIL PROTECTED]'s password: > Connection to localhost closed by remote host. > Connection to localhost closed. > poseidon:/home/sukria/dev/debian/openssh-3.4p1# > _ > > > It appears to be a PAM related problem : > Indeed the password authentification is OK, but the system reject the user > after seeing that his pass is right : > if I run sshd in debug mode, I can see this error message > _ > > sshd -d > [...] > debug1: userauth-request for user sukria service ssh-connection method > password > debug1: attempt 2 failures 2 > debug1: PAM Password authentication accepted for user "sukria" > Accepted password for sukria from 81.1.38.34 port 33095 ssh2 > [...] > debug1: session_input_channel_req: session 0 req shell > debug1: PAM setting tty to "/dev/pts/2" > PAM session setup failed[28]: Module is unknown > > > Does anyone knows how I can solve that problem ?? > > I've tuned /etc/hosts.deny and /etc/hosts.allow... and again, telnet > conection are working fine... > > Thanks a lot for any help. > > Alexis. > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: This is a digitally signed message part
Re: Probem with openssh and pam modules
You're right, it was set to yes but after putting it to 'no', the same problem is still there... At 16:11 02/10/2002 +0200, you wrote: You need to turn off UsePrivilegeSeparation in your /etc/ssh/sshd_config file. "UsePrivilegeSeparation no" Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> . homepage - [http://sukria.net] . clef PGP - [http://sukria.net/print.php?c=privacy] . mydynaweb - [http://www.mydynaweb.net] __
Re: Probem with openssh and pam modules
Kill your sshd. Run it in debugging mode (it will not fork a process): # sshd -ddd Open another window, now run the client in verbose mode: $ ssh -vvv [EMAIL PROTECTED] Then email us the output. :) Otherwise, this is really difficult to troubleshoot. -Anne This one time, Alexis Sukrieh wrote: > You're right, it was set to yes but after putting it to 'no', the same > problem is still there... > > At 16:11 02/10/2002 +0200, you wrote: > >You need to turn off UsePrivilegeSeparation > >in your /etc/ssh/sshd_config file. > > > >"UsePrivilegeSeparation no" > > > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpxSFgB98CbJ.pgp Description: PGP signature
Re: Probem with openssh and pam modules
here is the full output ( I've turned UsePrivilegeSeparation to "no" ) ___ poseidon:~# sshd -ddd debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-2 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 32989 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-2 debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received WARNING: /etc/ssh/moduli does not exist, using old modulus debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 131/256 debug1: bits set: 486/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 531/1024 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user sukria service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for sukria debug1: Starting up PAM with username "sukria" debug3: Trying to reverse map address 127.0.0.1. debug1: PAM setting rhost to "poseidon" debug2: input_userauth_request: try method none Failed none for sukria from 127.0.0.1 port 32989 ssh2 debug1: userauth-request for user sukria service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=sukria devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for sukria from 127.0.0.1 port 32989 ssh2 debug1: userauth-request for user sukria service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_request: try method password debug1: PAM Password authentication accepted for user "sukria" debug2: pam_acct_mgmt() = 0 Accepted password for sukria from 127.0.0.1 port 32989 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 3 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by
Re: Probem with openssh and pam modules
Hi there, This might provide a clue: debug1: PAM setting tty to "/dev/pts/3" PAM session setup failed[28]: Module is unknown -Anne This one time, Alexis Sukrieh wrote: > here is the full output > > ( I've turned UsePrivilegeSeparation to "no" ) > > > ___ > poseidon:~# sshd -ddd > debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-2 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Server will not fork when running in debugging mode. > Connection from 127.0.0.1 port 32989 > debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 > Debian 1:3.4p1-2 > debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > PROTECTED] > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > PROTECTED] > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > PROTECTED] > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL > PROTECTED] > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > WARNING: /etc/ssh/moduli does not exist, using old modulus > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: dh_gen_key: priv key bits set: 131/256 > debug1: bits set: 486/1024 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: bits set: 531/1024 > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user sukria service ssh-connection method none > debug1: attempt 0 failures 0 > debug2: input_userauth_request: setting up authctxt for sukria > debug1: Starting up PAM with username "sukria" > debug3: Trying to reverse map address 127.0.0.1. > debug1: PAM setting rhost to "poseidon" > debug2: input_userauth_request: try method none > Failed none for sukria from 127.0.0.1 port 32989 ssh2 > debug1: userauth-request for user sukria service ssh-connection method > keyboard-interactive > debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method keyboard-interactive > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=sukria devs= > debug1: kbdint_alloc: devices '' > debug2: auth2_challenge_start: devices > Failed keyboard-interactive for sukria from 127.0.0.1 port 32989 ssh2 > debug1: userauth-request for user sukria service ssh-connection method > password > debug1: attempt 2 failures 2 > debug2: input_userauth_request: try method password > debug1: PAM Password authentication accepted for user "sukria" > debug2: pam_acct_mgmt() = 0 > Accepted password for sukria from 127.0.0.1 port 32989 ssh2 > debug1: Entering interactive session for SSH2. > debug1: fd 3 setting O_NONBLOCK > debug1: fd 8 setting O_NONBLOCK > debug1: server_init_dispatch_20 > debug1: server_input_channel_op
Re: Probem with openssh and pam modules
Hehe :) yes, but before mailing here, I've supposed that there was a missing packagedependance in unstable and I look for pam* stuff. I found those ones libpam-modules - Pluggable Authentication Modules for PAM libpam0g - Pluggable Authentication Modules library and I installed it. I also installed libpam-cracklib - PAM module to enable cracklib support. but nothing changed... I really don't see what to do ... At 07:41 02/10/2002 -0700, you wrote: Hi there, This might provide a clue: debug1: PAM setting tty to "/dev/pts/3" PAM session setup failed[28]: Module is unknown -Anne Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> . homepage - [http://sukria.net] . clef PGP - [http://sukria.net/print.php?c=privacy] . mydynaweb - [http://www.mydynaweb.net] __
Re: Probem with openssh and pam modules
did you check all module invoked in /etc/pam.d/ssh can be found in /lib/security/ ? c++, Tonio En réponse à Anne Carasik <[EMAIL PROTECTED]>: > Hi there, > > This might provide a clue: > debug1: PAM setting tty to \"/dev/pts/3\" > PAM session setup failed[28]: Module is unknown > > -Anne > > This one time, Alexis Sukrieh wrote: > > here is the full output > > > > ( I\'ve turned UsePrivilegeSeparation to \"no\" ) > > > > > > ___ > > poseidon:~# sshd -ddd > > debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-2 > > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > > debug1: read PEM private key done: type RSA > > debug1: private host key: #0 type 1 RSA > > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > > debug1: read PEM private key done: type DSA > > debug1: private host key: #1 type 2 DSA > > debug1: Bind to port 22 on 0.0.0.0. > > Server listening on 0.0.0.0 port 22. > > debug1: Server will not fork when running in debugging mode. > > Connection from 127.0.0.1 port 32989 > > debug1: Client protocol version 2.0; client software version > OpenSSH_3.4p1 > > Debian 1:3.4p1-2 > > debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* > > Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2 > > debug1: list_hostkey_types: ssh-rsa,ssh-dss > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1- 96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1- 96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc,[EMAIL PROTECTED] > > debug2: kex_parse_kexinit: > > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1- 96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > > hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1- 96,hmac-md5-96 > > debug2: kex_parse_kexinit: none > > debug2: kex_parse_kexinit: none > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_init: found hmac-md5 > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug2: mac_init: found hmac-md5 > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > > WARNING: /etc/ssh/moduli does not exist, using old modulus > > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > > debug1: dh_gen_key: priv key bits set: 131/256 > > debug1: bits set: 486/1024 > > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > > debug1: bits set: 531/1024 > > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > > debug1: kex_derive_keys > > debug1: newkeys: mode 1 > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: waiting for SSH2_MSG_NEWKEYS > > debug1: newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: KEX done > > debug1: userauth-request for user sukria service ssh-connection method > none > > debug1: attempt 0 failures 0 > > debug2: input_userauth_request: setting up authctxt for sukria > > debug1: Starting up PAM with username \"sukria\" > > debug3: Trying to reverse map address 127.0.0.1. > > debug1: PAM setting rhost to \"poseidon\" > > debug2: input_userauth_request: try method none > > Failed none for sukria from 127.0.0.1 port 32989 ssh2 > > debug1: userauth-request for user sukria service ssh-connection method > > > keyboard-interactive > > debug1: attempt 1 failures 1 > > debug2: input_userauth_request: try method keyboard-interactive > > debug1: keyboard-interactive devs > > debug1: auth2_challenge: user=sukria devs= > > debug1: kbdint_alloc: devices \'\' > > debug2: auth2_challenge_start: devices > > Failed keyboard-interactive for sukria from 127.0.0.1 port 32989 > ssh2 > > debug1: userauth-request for user sukria service ssh-connection method > > > password > > debug1: attempt 2 failures 2
Re: Probem with openssh and pam modules
Hi Alexis, Did you setup /etc/pam.d/ssh? -Anne This one time, Alexis Sukrieh wrote: > Hehe :) > > yes, but before mailing here, I've supposed that there was a missing > packagedependance in unstable and I look for pam* stuff. > > I found those ones > > libpam-modules - Pluggable Authentication Modules for PAM > libpam0g - Pluggable Authentication Modules library > > and I installed it. > > I also installed > libpam-cracklib - PAM module to enable cracklib support. > > but nothing changed... > > I really don't see what to do ... > > At 07:41 02/10/2002 -0700, you wrote: > >Hi there, > > > >This might provide a clue: > > debug1: PAM setting tty to "/dev/pts/3" > > PAM session setup failed[28]: Module is unknown > > > >-Anne > > > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpuzSWlIe8T2.pgp Description: PGP signature
Re: Probem with openssh and pam modules
At 16:56 02/10/2002 +0200, [EMAIL PROTECTED] wrote: did you check all module invoked in /etc/pam.d/ssh can be found in /lib/security/ ? Yes it can be found. here, take a look : __ poseidon:/etc/pam.d# cat /etc/pam.d/ssh #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] accountrequired pam_unix.so sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard noenv # [1] sessionrequired pam_limits.so password required pam_unix.so # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. # You will need to comment out the password line above and # uncomment the next two in order to use this. # # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5 poseidon:/etc/pam.d# ls /lib/security/ pam_access.sopam_filter.so pam_lastlog.sopam_motd.so pam_rootok.so pam_time.so pam_unix_session.so pam_cracklib.so pam_ftp.so pam_limits.so pam_nologin.so pam_securetty.so pam_unix.so pam_userdb.so pam_debug.so pam_group.so pam_listfile.so pam_permit.so pam_shells.so pam_unix_acct.sopam_warn.so pam_deny.so pam_issue.so pam_mail.so pam_pwdfile.so pam_stress.so pam_unix_auth.sopam_wheel.so pam_env.so pam_krb5.sopam_mkhomedir.so pam_rhosts_auth.so pam_tally.so pam_unix_passwd.so poseidon:/etc/pam.d# Everthing is there... Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> . homepage - [http://sukria.net] . clef PGP - [http://sukria.net/print.php?c=privacy] . mydynaweb - [http://www.mydynaweb.net] __
Re: Probem with openssh and pam modules
since openssh v3.3 was released, I never got it to work well with PAM. I think it has something to do with privilege separation, whereby the listening daemon is unable to use PAM due to insufficient privileges, since it is running as an unprivileged user. Is PAMAuthenticationViaKbdInt enabled? Try disabling just that. From README.Debian in /usr/share/doc/ssh: "Unfortunately, privilege separation interacts badly with PAM. Any PAM session modules that need to run as root (pam_mkhomedir, for example) will fail, and PAM keyboard-interactive authentication won't work." Bye Giacomo -- _ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _
Re: Probem with openssh and pam modules
At 17:25 02/10/2002 +0200, Giacomo Mulas wrote: since openssh v3.3 was released, I never got it to work well with PAM. I think it has something to do with privilege separation, whereby the listening daemon is unable to use PAM due to insufficient privileges, since it is running as an unprivileged user. Is PAMAuthenticationViaKbdInt enabled? Try disabling just that. From README.Debian in /usr/share/doc/ssh: Well, again it is not the solution for me ! It is yet turned off is this a common problem ??? I'm surprised in the way that every intelligent solutions you all provide to me are ineffectvie... is the ssh package young in the unstable branch ? Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> . homepage - [http://sukria.net] . clef PGP - [http://sukria.net/print.php?c=privacy] . mydynaweb - [http://www.mydynaweb.net] __
Re: Probem with openssh and pam modules
This one time, Alexis Sukrieh wrote: > Well, again it is not the solution for me ! > It is yet turned off Hmmm.. not sure. > is this a common problem ??? I'm surprised in the way that every > intelligent solutions you all provide to me are ineffectvie... Hmmm.. try apt-get remove --purge openssh and reinstall it after you get PAM working. > is the ssh package young in the unstable branch ? I haven't had any problems, but it is unstable after all ;) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpzjfpgSqM8d.pgp Description: PGP signature
Re: Probem with openssh and pam modules
Am Mittwoch, 2. Oktober 2002 17:01 schrieb Alexis Sukrieh: > At 16:56 02/10/2002 +0200, [EMAIL PROTECTED] wrote: > >did you check all module invoked in /etc/pam.d/ssh can be found > >in /lib/security/ ? > > Yes it can be found. > > here, take a look : Hi, just a guess: What about disabling all "session"-entries except the first in the /etc/pam.d/shh like this: auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] accountrequired pam_unix.so sessionrequired pam_unix.so #sessionoptional pam_lastlog.so # [1] #sessionoptional pam_motd.so # [1] #sessionoptional pam_mail.so standard noenv # [1] #sessionrequired pam_limits.so password required pam_unix.so Well, the debug-msg says something about a failed session >> debug1: PAM setting tty to "/dev/pts/3" >> PAM session setup failed[28]: Module is unknown another guess: maybe the kernel has no support for the pseudo-terminal pty or the /dev/pty-filesystem compiled in? HTH, Marcus > __ > poseidon:/etc/pam.d# cat /etc/pam.d/ssh > #%PAM-1.0 > auth required pam_nologin.so > auth required pam_unix.so > auth required pam_env.so # [1] > > accountrequired pam_unix.so > > sessionrequired pam_unix.so > sessionoptional pam_lastlog.so # [1] > sessionoptional pam_motd.so # [1] > sessionoptional pam_mail.so standard noenv # [1] > sessionrequired pam_limits.so > > password required pam_unix.so > > # Alternate strength checking for password. Note that this > # requires the libpam-cracklib package to be installed. > # You will need to comment out the password line above and > # uncomment the next two in order to use this. > # > # password required pam_cracklib.so retry=3 minlen=6 difok=3 > # password required pam_unix.so use_authtok nullok md5 > > poseidon:/etc/pam.d# ls /lib/security/ > pam_access.sopam_filter.so pam_lastlog.sopam_motd.so > pam_rootok.so pam_time.so pam_unix_session.so > pam_cracklib.so pam_ftp.so pam_limits.so pam_nologin.so > pam_securetty.so pam_unix.so pam_userdb.so > pam_debug.so pam_group.so pam_listfile.so pam_permit.so > pam_shells.so pam_unix_acct.sopam_warn.so > pam_deny.so pam_issue.so pam_mail.so pam_pwdfile.so > pam_stress.so pam_unix_auth.sopam_wheel.so > pam_env.so pam_krb5.sopam_mkhomedir.so pam_rhosts_auth.so > pam_tally.so pam_unix_passwd.so > poseidon:/etc/pam.d# > > > Everthing is there... > > > Alexis Sukrieh (sukria), <[EMAIL PROTECTED]> > . homepage - [http://sukria.net] > . clef PGP - [http://sukria.net/print.php?c=privacy] > . mydynaweb - [http://www.mydynaweb.net] > __
Re: Probem with openssh and pam modules
And the winner is . > just a guess: > What about disabling all "session"-entries except the first in the > /etc/pam.d/shh like this: Marcus !! Wünderbar ! :) It works when I disable other session entries. Thanks a lot to all of you, I'm really happy to come back to ssh (telnet sucks !) > auth required pam_nologin.so > auth required pam_unix.so > auth required pam_env.so # [1] > accountrequired pam_unix.so > sessionrequired pam_unix.so > #sessionoptional pam_lastlog.so # [1] > #sessionoptional pam_motd.so # [1] > #sessionoptional pam_mail.so standard noenv # [1] > #sessionrequired pam_limits.so > password required pam_unix.so > -- ___ Alexis Sukrieh, <[EMAIL PROTECTED]> Web : http://www.sukria.net ___ signature.asc Description: This is a digitally signed message part
Re: Probem with openssh and pam modules
Correct me if I'm wrong, but don't we expect people who run unstable to diagnoseproblems themselves? If they can't they should be running stable or at least testing? Unstable is not just a name... Lupe Christoph On Wednesday, 2002-10-02 at 09:44:38 -0700, Anne Carasik wrote: > This one time, Alexis Sukrieh wrote: > > Well, again it is not the solution for me ! > > It is yet turned off > Hmmm.. not sure. > > is this a common problem ??? I'm surprised in the way that every > > intelligent solutions you all provide to me are ineffectvie... > Hmmm.. try apt-get remove --purge openssh and reinstall it > after you get PAM working. > > is the ssh package young in the unstable branch ? > I haven't had any problems, but it is unstable after all ;) > -Anne > -- > .-"".__."``". Anne Carasik, System Administrator > .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu > (O/ O) \-' ` -="""=.', Center for Advanced Computing Research > ~`~~ --- Also sprach Anne Carasik --- -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." |
Re: Probem with openssh and pam modules
This one time, Lupe Christoph wrote: > Correct me if I'm wrong, but don't we expect people who run unstable to > diagnoseproblems themselves? If they can't they should be running stable > or at least testing? I think there's nothing wrong with helping someone out, no matter which group they're running. Why should it matter? Isn't this mailing list called debian-security? Not debian-security-stable. > Unstable is not just a name... Neither is testing nor stable :) -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpNQKHtRQo5U.pgp Description: PGP signature
Re: Probem with openssh and pam modules
On Wed, 2002-10-02 at 21:13, Lupe Christoph wrote: > Correct me if I'm wrong, but don't we expect people who run unstable to > diagnoseproblems themselves? If they can't they should be running stable > or at least testing? Excuse me sir ! But well, if I run unstable and I find a strange problem with such an important package, I have to tell the debian community. I think that's one of the purpose of that mailing-list : knowing problems coming with the packages. And, I was diagnosing my problems ! I was not just waiting for the solution, I was working with all people who helped me. And I thank them very much. If tomorow, an other imortant issue comes up to me with a debian package, I'll do it again. That's what debian mailing-list are for : communicating ! > Unstable is not just a name... No, it's a way of life |-) -- ___ Alexis Sukrieh, <[EMAIL PROTECTED]> Web : http://www.sukria.net ___ signature.asc Description: This is a digitally signed message part
Re: Probem with openssh and pam modules
Am Mittwoch, 2. Oktober 2002 22:38 schrieb Alexis Sukrieh: > And the winner is . > > > just a guess: > > What about disabling all "session"-entries except the first in the > > /etc/pam.d/shh like this: > > Marcus !! > > Wünderbar ! :) :-) > It works when I disable other session entries. > Thanks a lot to all of you, I'm really happy to come back to ssh (telnet > sucks !) Okay, you might also want to enable the session-modules one-after-one, so can track down, which of them exactly fails, or if all of them fail... Regards, Marcus
Re: Probem with openssh and pam modules
On Wed, Oct 02, 2002 at 11:13:06PM +0200, Lupe Christoph wrote: > Correct me if I'm wrong, but don't we expect people who run unstable to > diagnoseproblems themselves? No, we don't. We hope people running unstable report any problems they run into, so that information can be used to improve Debian, and hopefully prevent others from running into the same problem with a future version of the package. (I'm not a Debian developer, so I hope I haven't been presumptuous in saying "we".) There are lots of people who can make useful bug reports or mailing list posts about problems they run into who don't have the time or the inclination to fix every problem they find. > If they can't they should be running stable > or at least testing? Anyone who is willing to deal with problems should run unstable to help test it, so that it can go into testing, and later become stable. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
Re: Probem with openssh and pam modules
On Wed, Oct 02, 2002 at 11:32:10PM +, Alexis Sukrieh wrote: > But well, if I run unstable and I find a strange problem with such an > important package, I have to tell the debian community. I think that's > one of the purpose of that mailing-list : knowing problems coming with the > packages. Yes, that is reasonable, and there are mailing lists for that (such as debian-user), but debian-security is not such a list. The fact that this problem happened to be in ssh does not make it a matter of system security. The same could be said of many threads on this list. -- - mdz
