[Techtalk] Re: SSH authentication via PAM-MySQL

Aneesha Govil popcorn09 at gmail.com
Thu Apr 5 06:59:46 UTC 2007 

On 4/4/07, Wim De Smet <kromagg at gmail.com> wrote:
>
> On 4/3/07, Aneesha Govil <popcorn09 at gmail.com> wrote:
> > On 4/3/07, Wim De Smet <kromagg at gmail.com> wrote:
> > > On 4/3/07, Aneesha Govil <popcorn09 at gmail.com> wrote:
> > > > Missed the error message -
> > > >
> > > > On 4/3/07, Aneesha Govil <popcorn09 at gmail.com > wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > > At work I have a requirement wherein I want to authenticate SSH
> users
> > > > > based on the usernames and passwords in a table in a MySQL
> database. I
> > am
> > > > > able to get it to use the passwords from the table but it is not
> > picking up
> > > > > the usernames. For example - if I add information as - testuser /
> > > > > testpassword in the table and SSH as:
> > > > >
> > > > > ssh testuser at localhost
> > > >
> > > >
> > > > In the logs I get the error - Invalid user testuser from 127.0.0.1
> > >
> > > Could you also enable mysql query logging and look at the queries
> > > you're getting? I believe this would help track the problem down.
> >
> > The queries are turned on and working fine. The invalid user error
> happens
> > before the query fires at all. All the auth, account etc stuff happens
> after
> > that error.
>
> In that case I think the most likely culprit is sshd not using PAM.
> There should be a line in the sshd_config (/etc/ssh/sshd_config on
> debian) that says:
> UsePAM yes
>
> My sshd_config also has the following slightly confusing section:
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
>
> # ...but breaks Pam auth via kbdint, so we have to turn it off
> # Use PAM authentication via keyboard-interactive so PAM modules can
> # properly interface with the user (off due to PrivSep)
> #PAMAuthenticationViaKbdInt no
>
> If your config has the same settings, probably best to disable
> privilege separation and set PAMAuthenticationViaKbdInt to yes. This
> might have some security implications I'm not sure.
>

UsePrivilegeSeparation is disabled. But if I set PAMAuthenticationViaKbdInt
to yes, I get this error when I restart sshd.

Starting SSH daemon/etc/ssh/sshd_config line 101: Deprecated option
PAMAuthenticationViaKbdInt

I am using OpenSSH_4.4p1, OpenSSL 0.9.8d 28 Sep 2006
Is there any alternative in the new version?

Thanks,
Aneesha

More information about the Techtalk mailing list