Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3
217 views
Skip to first unread message
Sangeeth Saravanaraj
Mar 5, 2014, 1:46:18 PM3/5/14
to
I want to configure secure shell access to a Linux machine where allowed
users are stored in an sqlite3 database and not in the /etc/passwd,
/etc/shadow and /etc/group. I use PAM for user authentication. In this case
I use libpam_sqlite<https://github.com/sangeeths/libpam-sqlite/blob/master/README_pam_sqlite3>which
performs PAM actions like auth, account, password, etc on user data
stored in an sqlite3 database.
I have the following configuration in my /etc/pam.d/sshd
auth required /lib/security/pam_sqlite3.so
account required /lib/security/pam_sqlite3.so
password required /lib/security/pam_sqlite3.so
When I tried to ssh to the box using a userid which is residing in the
sqlite3 database only (and not in /etc/passwd), the authentication failed.
The problem I found was, when an ssh is attempted, OpenSSH module is trying
to get the user info from the /etc/passwd file and when it found that the
user does not exist, it passes "#010#012#015#177INCORRECT" as the password
(and discards the password entered by the user) to the libpam_sqlite
module. Then obviously the libpam_sqlite3 denies access to the user because
the password is incorrect!
When looked into the OpenSSH code, I found that getpwnam() in
auth.c::getpwnamallow() sets pw = NULL and so the following message appears!
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
Invalid user XXXXXX from A.B.C.D
Now, to the questions:
1. Why does OpenSSH replaces the password entered by the user with the
bad password - "\b\n\r\177INCORRECT" when the user is not present in the
/etc/passwd file?
2. Is there a way to tell OpenSSH not to override the password entered
by the user?
3. Is it really possible to authenticate a user based on an sqlite3
database when the user record is not present in the /etc/passwd,
/etc/shadow and /etc/group?
Thank you,
Sangeeth
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
users are stored in an sqlite3 database and not in the /etc/passwd,
/etc/shadow and /etc/group. I use PAM for user authentication. In this case
I use libpam_sqlite<https://github.com/sangeeths/libpam-sqlite/blob/master/README_pam_sqlite3>which
performs PAM actions like auth, account, password, etc on user data
stored in an sqlite3 database.
I have the following configuration in my /etc/pam.d/sshd
auth required /lib/security/pam_sqlite3.so
account required /lib/security/pam_sqlite3.so
password required /lib/security/pam_sqlite3.so
When I tried to ssh to the box using a userid which is residing in the
sqlite3 database only (and not in /etc/passwd), the authentication failed.
The problem I found was, when an ssh is attempted, OpenSSH module is trying
to get the user info from the /etc/passwd file and when it found that the
user does not exist, it passes "#010#012#015#177INCORRECT" as the password
(and discards the password entered by the user) to the libpam_sqlite
module. Then obviously the libpam_sqlite3 denies access to the user because
the password is incorrect!
When looked into the OpenSSH code, I found that getpwnam() in
auth.c::getpwnamallow() sets pw = NULL and so the following message appears!
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
Invalid user XXXXXX from A.B.C.D
Now, to the questions:
1. Why does OpenSSH replaces the password entered by the user with the
bad password - "\b\n\r\177INCORRECT" when the user is not present in the
/etc/passwd file?
2. Is there a way to tell OpenSSH not to override the password entered
by the user?
3. Is it really possible to authenticate a user based on an sqlite3
database when the user record is not present in the /etc/passwd,
/etc/shadow and /etc/group?
Thank you,
Sangeeth
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Karl O. Pinc
Mar 5, 2014, 2:00:41 PM3/5/14
to
On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:
> I want to configure secure shell access to a Linux machine where
> allowed
> users are stored in an sqlite3 database and not in the /etc/passwd,
> /etc/shadow and /etc/group. I use PAM for user authentication.
I can't speak to the internals but have you set
> I want to configure secure shell access to a Linux machine where
> allowed
> users are stored in an sqlite3 database and not in the /etc/passwd,
> /etc/shadow and /etc/group. I use PAM for user authentication.
UsePAM Yes in sshd_config?
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
Sangeeth Saravanaraj
Mar 5, 2014, 2:02:03 PM3/5/14
to
On Thu, Mar 6, 2014 at 12:30 AM, Karl O. Pinc <k...@meme.com> wrote:
> On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:
> > I want to configure secure shell access to a Linux machine where
> > allowed
> > users are stored in an sqlite3 database and not in the /etc/passwd,
> > /etc/shadow and /etc/group. I use PAM for user authentication.
>
> I can't speak to the internals but have you set
> UsePAM Yes in sshd_config?
>
Of course, Yes!
> On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:
> > I want to configure secure shell access to a Linux machine where
> > allowed
> > users are stored in an sqlite3 database and not in the /etc/passwd,
> > /etc/shadow and /etc/group. I use PAM for user authentication.
>
> I can't speak to the internals but have you set
> UsePAM Yes in sshd_config?
>
Seth Ellsworth
Mar 5, 2014, 2:06:42 PM3/5/14
to
A user consists of two parts: Identity and Authentication.
/etc/passwd is Identity. The user's uid, home directory, etc.
/etc/shadow is Authentication. Their password (hashed).
PAM is Pluggable Authentication Module.
It only handles Authentication.
The user still has to have an Identity at the NSS layer.
( NSS == Name Service Switch )
ssh -> nss -> nsswitch.conf -> sqlite3
Is there an nss module also configured for sqlite3?
Seth Ellsworth
-----Original Message-----
From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+seth.ellsworth=ques...@mindrot.org] On Behalf Of Karl O. Pinc
Sent: Wednesday, March 05, 2014 12:01 PM
To: Sangeeth Saravanaraj
Cc: openssh-...@mindrot.org
Subject: Re: Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3
On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:
> I want to configure secure shell access to a Linux machine where
> allowed
> users are stored in an sqlite3 database and not in the /etc/passwd,
> /etc/shadow and /etc/group. I use PAM for user authentication.
I can't speak to the internals but have you set
UsePAM Yes in sshd_config?
/etc/passwd is Identity. The user's uid, home directory, etc.
/etc/shadow is Authentication. Their password (hashed).
PAM is Pluggable Authentication Module.
It only handles Authentication.
The user still has to have an Identity at the NSS layer.
( NSS == Name Service Switch )
ssh -> nss -> nsswitch.conf -> sqlite3
Is there an nss module also configured for sqlite3?
Seth Ellsworth
-----Original Message-----
From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+seth.ellsworth=ques...@mindrot.org] On Behalf Of Karl O. Pinc
Sent: Wednesday, March 05, 2014 12:01 PM
To: Sangeeth Saravanaraj
Cc: openssh-...@mindrot.org
Subject: Re: Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3
On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:
> I want to configure secure shell access to a Linux machine where
> allowed
> users are stored in an sqlite3 database and not in the /etc/passwd,
> /etc/shadow and /etc/group. I use PAM for user authentication.
I can't speak to the internals but have you set
UsePAM Yes in sshd_config?
Tim Broberg
Mar 5, 2014, 3:12:20 PM3/5/14
to
I hope you can forgive the meta-comment, but that might just be the
highest signal to noise ratio post I've ever seen.
(Perhaps some noise was needed to restore balance.)
- Tim.
On 3/5/14 11:06 AM, "Seth Ellsworth" <Seth.El...@software.dell.com>
wrote:
>https://urldefense.proofpoint.com/v1/url?u=https://lists.mindrot.org/mailm
>an/listinfo/openssh-unix-dev&k=vE6vJ%2F6us6MO2E%2BCdRJaLw%3D%3D%0A&r=CFOVY
>S%2Bpq34MoQdIh9mGy2v3juvm16uSvL2B2p9WKsQ%3D%0A&m=M1WP76oXGkI7kzNW5UjSw%2F4
>QZun2FxJY%2Bj2i3v%2FT8Tg%3D%0A&s=102c58d0c12ab23c4995a64e386bceb49dd6dabfb
>7dcee662f0fd8f189e03685
>an/listinfo/openssh-unix-dev&k=vE6vJ%2F6us6MO2E%2BCdRJaLw%3D%3D%0A&r=CFOVY
>S%2Bpq34MoQdIh9mGy2v3juvm16uSvL2B2p9WKsQ%3D%0A&m=M1WP76oXGkI7kzNW5UjSw%2F4
>QZun2FxJY%2Bj2i3v%2FT8Tg%3D%0A&s=102c58d0c12ab23c4995a64e386bceb49dd6dabfb
>7dcee662f0fd8f189e03685
highest signal to noise ratio post I've ever seen.
(Perhaps some noise was needed to restore balance.)
- Tim.
On 3/5/14 11:06 AM, "Seth Ellsworth" <Seth.El...@software.dell.com>
wrote:
>an/listinfo/openssh-unix-dev&k=vE6vJ%2F6us6MO2E%2BCdRJaLw%3D%3D%0A&r=CFOVY
>S%2Bpq34MoQdIh9mGy2v3juvm16uSvL2B2p9WKsQ%3D%0A&m=M1WP76oXGkI7kzNW5UjSw%2F4
>QZun2FxJY%2Bj2i3v%2FT8Tg%3D%0A&s=102c58d0c12ab23c4995a64e386bceb49dd6dabfb
>7dcee662f0fd8f189e03685
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-...@mindrot.org
>https://urldefense.proofpoint.com/v1/url?u=https://lists.mindrot.org/mailm
>openssh-unix-dev mailing list
>openssh-...@mindrot.org
>an/listinfo/openssh-unix-dev&k=vE6vJ%2F6us6MO2E%2BCdRJaLw%3D%3D%0A&r=CFOVY
>S%2Bpq34MoQdIh9mGy2v3juvm16uSvL2B2p9WKsQ%3D%0A&m=M1WP76oXGkI7kzNW5UjSw%2F4
>QZun2FxJY%2Bj2i3v%2FT8Tg%3D%0A&s=102c58d0c12ab23c4995a64e386bceb49dd6dabfb
>7dcee662f0fd8f189e03685
Sangeeth Saravanaraj
Mar 5, 2014, 5:01:25 PM3/5/14
to
On Thu, Mar 6, 2014 at 12:36 AM, Seth Ellsworth <
Thanks for your comments! It really helped.
I configured libnss-sqlite module to work with the sqlite3 database which
contains user information. Also, I updated passwd, shadow and group config
in /etc/nsswitch.conf to work with sqlite.
With this setting, I was able to ssh to the Linux machine where all user
information is stored in an Sqlite3 database.
Thank you,
Sangeeth
>
> Seth Ellsworth
>
>
> -----Original Message-----
> From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+seth.ellsworth=
> ques...@mindrot.org] On Behalf Of Karl O. Pinc
> Sent: Wednesday, March 05, 2014 12:01 PM
> To: Sangeeth Saravanaraj
> Cc: openssh-...@mindrot.org
> Subject: Re: Bad Password - #010#012#015#177INCORRECT : ssh -> pam ->
> libpam_sqlite -> sqlite3
>
> On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:
> > I want to configure secure shell access to a Linux machine where
> > allowed
> > users are stored in an sqlite3 database and not in the /etc/passwd,
> > /etc/shadow and /etc/group. I use PAM for user authentication.
>
> I can't speak to the internals but have you set
> UsePAM Yes in sshd_config?
>
>
>
> Karl <k...@meme.com>
> Free Software: "You don't pay back, you pay forward."
> -- Robert A. Heinlein
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-...@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Seth.El...@software.dell.com> wrote:
> A user consists of two parts: Identity and Authentication.
>
> /etc/passwd is Identity. The user's uid, home directory, etc.
> /etc/shadow is Authentication. Their password (hashed).
>
> PAM is Pluggable Authentication Module.
> It only handles Authentication.
>
> The user still has to have an Identity at the NSS layer.
> ( NSS == Name Service Switch )
>
> ssh -> nss -> nsswitch.conf -> sqlite3
> Is there an nss module also configured for sqlite3?
>
Hi Seth,
> A user consists of two parts: Identity and Authentication.
>
> /etc/passwd is Identity. The user's uid, home directory, etc.
> /etc/shadow is Authentication. Their password (hashed).
>
> PAM is Pluggable Authentication Module.
> It only handles Authentication.
>
> The user still has to have an Identity at the NSS layer.
> ( NSS == Name Service Switch )
>
> ssh -> nss -> nsswitch.conf -> sqlite3
> Is there an nss module also configured for sqlite3?
>
Thanks for your comments! It really helped.
I configured libnss-sqlite module to work with the sqlite3 database which
contains user information. Also, I updated passwd, shadow and group config
in /etc/nsswitch.conf to work with sqlite.
With this setting, I was able to ssh to the Linux machine where all user
information is stored in an Sqlite3 database.
Thank you,
Sangeeth
>
> Seth Ellsworth
>
>
> -----Original Message-----
> From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+seth.ellsworth=
> ques...@mindrot.org] On Behalf Of Karl O. Pinc
> Sent: Wednesday, March 05, 2014 12:01 PM
> To: Sangeeth Saravanaraj
> Cc: openssh-...@mindrot.org
> Subject: Re: Bad Password - #010#012#015#177INCORRECT : ssh -> pam ->
> libpam_sqlite -> sqlite3
>
> On 03/05/2014 12:46:18 PM, Sangeeth Saravanaraj wrote:
> > I want to configure secure shell access to a Linux machine where
> > allowed
> > users are stored in an sqlite3 database and not in the /etc/passwd,
> > /etc/shadow and /etc/group. I use PAM for user authentication.
>
> I can't speak to the internals but have you set
> UsePAM Yes in sshd_config?
>
>
>
> Karl <k...@meme.com>
> Free Software: "You don't pay back, you pay forward."
> -- Robert A. Heinlein
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-...@mindrot.org
Ángel González
Mar 5, 2014, 5:28:51 PM3/5/14
to
For future archive searchers:
Typical samples of that are DenyUsers or PermitRootLogin.
In those cases sshd *still* calls PAM, so that delays set by it are
still performed to the user (without leaking info about accounts
existing, disabled, etc.). But in order to ensure it can't succeed,
replaces the password with that impossible one.
> Why does OpenSSH replaces the password entered by the user with the
> bad password - "\b\n\r\177INCORRECT
There are some situations where sshd determines a user can't log in.
> bad password - "\b\n\r\177INCORRECT
Typical samples of that are DenyUsers or PermitRootLogin.
In those cases sshd *still* calls PAM, so that delays set by it are
still performed to the user (without leaking info about accounts
existing, disabled, etc.). But in order to ensure it can't succeed,
replaces the password with that impossible one.
0 new messages