Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0983: authentication fails via ssh when "password" method is used

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:02 AM

Applies to: DirectControl 4.x, 5.x above with Sun SSH 1.1 on Solaris

 

Question:

 

Why does authentication fail via ssh client ( SecureCRT ) when "password" authentication method is used? Sample error messages:

 

jackie@localhost's password:
Permission denied, please try again.
jackie@localhost's password:
Permission denied, please try again.
jackie@localhost's password:
Permission denied

 

Answer:

 

The issue exist when Centrify pam module calls the Sun SSHD pam_conv callback (for password prompt); for "password" authentication method, it will always return PAM_CONV_ERR.

There are couple of workarounds for this issue:

 

Option 1) Force the SSHD server and client to use Keyboard Interactive Authentication.

To do this, you can try setting:

KbdInteractiveAuthentication yes
PasswordAuthentication no

For details on these options, see the following Sun website.
http://docs.sun.com/app/docs/doc/816-5174/sshd-config-4?a=view

Option 2) Install Centrify’s OpenSSH Server

Since Centrify’s SSHD server is based on the Open Source SSHD, it is not affected by this issue.

 

Notes:

 

More details about the problem which can be used to open a ticket with Sun Support:

 

When Centrify PAM module calls Sun SSHD pam_conv, it just returns PAM_CONV_ERR if the pam message type is PAM_PROMPT_ECHO_OFF. Solaris sshd Keyboard-interactive works because it uses a different pam conversation function. The source code is here:

http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/ssh/sshd/auth2-pam.c#do_pam_conv_kbd_int

See the partial code from
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/ssh/sshd/auth-pam.c

 

( Note they return PAM_CONV_ERR pretty much for PAM_PROMPT_ECHO_OFF, PAM_PROMPT_ECHO_ON, default ):


376 switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
377 case PAM_PROMPT_ECHO_ON:
378 xfree(reply);
379 return PAM_CONV_ERR;
380 case PAM_PROMPT_ECHO_OFF:
381 xfree(reply);
382 return PAM_CONV_ERR;
383 break;
384 case PAM_ERROR_MSG:
385 case PAM_TEXT_INFO:
386 if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
387 message_cat(&__pam_msg,
388 PAM_MSG_MEMBER(msg, count, msg));
389 }
390 reply[count].resp = xstrdup("");
391 reply[count].resp_retcode = PAM_SUCCESS;
392 break;
393 default:
394 xfree(reply);
395 return PAM_CONV_ERR;

So this case only exists in Solaris sshd password auth method.

The OpenSSH handles this correctly. Since Centrify OpenSSH is based out of OpenSSH you will not see this problem in there. Here is how OpenSSH
implemented this:

case PAM_PROMPT_ECHO_OFF:
if (sshpam_password == NULL)
goto fail;
if ((reply[i].resp = strdup(sshpam_password)) ==
NULL)
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
len = strlen(PAM_MSG_MEMBER(msg, i, msg));
if (len > 0) {
buffer_append(&loginmsg,
PAM_MSG_MEMBER(msg, i, msg), len);
buffer_append(&loginmsg, "\n", 1);
}
if ((reply[i].resp = strdup("")) == NULL)
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
break;
default:
goto fail;
}

 

Notes: After several discussions with Sun, Sun Engg's are not willing to accept the bug in Sun SSHD and think that OpenSSH is not following the proper PAM protocol. Sun SSH engg's filed a bug with OpenSSH developers.

 

Please see the bug : https://bugzilla.mindrot.org/show_bug.cgi?id=1681

 

With Centrify DirectControl version 5.x and above, ADuser will still fail to 
login using stock (built-in) sun_ssh_1.1 onto sol10 with 'passwd' but succeeds with kbd_int.

bash-3.00# uname -a
SunOS solaris10u7 5.10 Generic_139555-08 sun4u sparc SUNW,Sun-Fire-V240
bash-3.00# ssh -v 2>&1|head -1
Sun_SSH_1.1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
bash-3.00# cat /etc/ssh/sshd_config | egrep '^PAMAuthenti|^PasswordAu'
PAMAuthenticationViaKBDInt yes

bash-3.00# adinfo -v
adinfo (CentrifyDC 5.1.0-293)

bash-3.00# ssh localhost -l zeratul@aiur.land
Password: 
Last login: Tue Oct  8 16:50:40 2013 from localhost
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
-bash-3.00$ id
uid=30003(zeratul) gid=20000(lair)
-bash-3.00$ exit
logout
Connection to localhost closed.

bash-3.00# cat /etc/ssh/sshd_config | egrep '^PAMAuthenti|^PasswordAu'
PasswordAuthentication yes
bash-3.00# /lib/svc/method/sshd restart
bash-3.00# ssh localhost -l zeratul
zeratul@localhost's password: 
Permission denied, please try again.
zeratul@localhost's password: 
Permission denied, please try again.
zeratul@localhost's password: 
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive).

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.