12 April,16 at 11:02 AM
Applies to: DirectControl 4.x, 5.x above with Sun SSH 1.1 on Solaris
Question:
Why does authentication fail via ssh client ( SecureCRT ) when "password" authentication method is used? Sample error messages:
jackie@localhost's password:
Permission denied, please try again.
jackie@localhost's password:
Permission denied, please try again.
jackie@localhost's password:
Permission denied
Answer:
The issue exist when Centrify pam module calls the Sun SSHD pam_conv callback (for password prompt); for "password" authentication method, it will always return PAM_CONV_ERR.
There are couple of workarounds for this issue:
Option 1) Force the SSHD server and client to use Keyboard Interactive Authentication.
To do this, you can try setting:
KbdInteractiveAuthentication yes
PasswordAuthentication no
For details on these options, see the following Sun website.
http://docs.sun.com/app/docs/doc/816-5174/sshd-config-4?a=view
Option 2) Install Centrify’s OpenSSH Server
Since Centrify’s SSHD server is based on the Open Source SSHD, it is not affected by this issue.
Notes:
More details about the problem which can be used to open a ticket with Sun Support:
When Centrify PAM module calls Sun SSHD pam_conv, it just returns PAM_CONV_ERR if the pam message type is PAM_PROMPT_ECHO_OFF. Solaris sshd Keyboard-interactive works because it uses a different pam conversation function. The source code is here:
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/ssh/sshd/auth2-pam.c#do_pam_conv_kbd_int
See the partial code from
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/ssh/sshd/auth-pam.c
( Note they return PAM_CONV_ERR pretty much for PAM_PROMPT_ECHO_OFF, PAM_PROMPT_ECHO_ON, default ):
376 switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
377 case PAM_PROMPT_ECHO_ON:
378 xfree(reply);
379 return PAM_CONV_ERR;
380 case PAM_PROMPT_ECHO_OFF:
381 xfree(reply);
382 return PAM_CONV_ERR;
383 break;
384 case PAM_ERROR_MSG:
385 case PAM_TEXT_INFO:
386 if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
387 message_cat(&__pam_msg,
388 PAM_MSG_MEMBER(msg, count, msg));
389 }
390 reply[count].resp = xstrdup("");
391 reply[count].resp_retcode = PAM_SUCCESS;
392 break;
393 default:
394 xfree(reply);
395 return PAM_CONV_ERR;
So this case only exists in Solaris sshd password auth method.
The OpenSSH handles this correctly. Since Centrify OpenSSH is based out of OpenSSH you will not see this problem in there. Here is how OpenSSH
implemented this:
case PAM_PROMPT_ECHO_OFF:
if (sshpam_password == NULL)
goto fail;
if ((reply[i].resp = strdup(sshpam_password)) ==
NULL)
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
len = strlen(PAM_MSG_MEMBER(msg, i, msg));
if (len > 0) {
buffer_append(&loginmsg,
PAM_MSG_MEMBER(msg, i, msg), len);
buffer_append(&loginmsg, "\n", 1);
}
if ((reply[i].resp = strdup("")) == NULL)
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
break;
default:
goto fail;
}
Notes: After several discussions with Sun, Sun Engg's are not willing to accept the bug in Sun SSHD and think that OpenSSH is not following the proper PAM protocol. Sun SSH engg's filed a bug with OpenSSH developers.
Please see the bug : https://bugzilla.mindrot.org/show_bug.cgi?id=1681
With Centrify DirectControl version 5.x and above, ADuser will still fail to login using stock (built-in) sun_ssh_1.1 onto sol10 with 'passwd' but succeeds with kbd_int. bash-3.00# uname -a SunOS solaris10u7 5.10 Generic_139555-08 sun4u sparc SUNW,Sun-Fire-V240 bash-3.00# ssh -v 2>&1|head -1 Sun_SSH_1.1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f bash-3.00# cat /etc/ssh/sshd_config | egrep '^PAMAuthenti|^PasswordAu' PAMAuthenticationViaKBDInt yes bash-3.00# adinfo -v adinfo (CentrifyDC 5.1.0-293) bash-3.00# ssh localhost -l zeratul@aiur.land Password: Last login: Tue Oct 8 16:50:40 2013 from localhost Sun Microsystems Inc. SunOS 5.10 Generic January 2005 -bash-3.00$ id uid=30003(zeratul) gid=20000(lair) -bash-3.00$ exit logout Connection to localhost closed. bash-3.00# cat /etc/ssh/sshd_config | egrep '^PAMAuthenti|^PasswordAu' PasswordAuthentication yes bash-3.00# /lib/svc/method/sshd restart bash-3.00# ssh localhost -l zeratul zeratul@localhost's password: Permission denied, please try again. zeratul@localhost's password: Permission denied, please try again. zeratul@localhost's password: Permission denied (gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive).