[Techtalk] Re: SSH authentication via PAM-MySQL

Wim De Smet kromagg at gmail.com
Thu Apr 5 11:55:27 UTC 2007


On 4/5/07, Aneesha Govil <popcorn09 at gmail.com> wrote:
> On 4/4/07, Wim De Smet <kromagg at gmail.com> wrote:
> > In that case I think the most likely culprit is sshd not using PAM.
> > There should be a line in the sshd_config (/etc/ssh/sshd_config on
> > debian) that says:
> > UsePAM yes
> >
> > My sshd_config also has the following slightly confusing section:
> > #Privilege Separation is turned on for security
> > UsePrivilegeSeparation yes
> >
> > # ...but breaks Pam auth via kbdint, so we have to turn it off
> > # Use PAM authentication via keyboard-interactive so PAM modules can
> > # properly interface with the user (off due to PrivSep)
> > #PAMAuthenticationViaKbdInt no
> >
> > If your config has the same settings, probably best to disable
> > privilege separation and set PAMAuthenticationViaKbdInt to yes. This
> > might have some security implications I'm not sure.
> >
>
> UsePrivilegeSeparation is disabled. But if I set PAMAuthenticationViaKbdInt
> to yes, I get this error when I restart sshd.
>
> Starting SSH daemon/etc/ssh/sshd_config line 101: Deprecated option
> PAMAuthenticationViaKbdInt
>
> I am using OpenSSH_4.4p1, OpenSSL 0.9.8d 28 Sep 2006
> Is there any alternative in the new version?

Hmm I did some further digging. Apparently this option was only
necessary up to and including version 3.6. Privilege separation should
work okay with pam in this version. Unfortunately lots of distros seem
to tweak the openssh PAM support here and there and it's kind of weird
how to configure it, so what works somewhere might not work elsewhere.

My sshd_config manpage has a section on PAM though that I did not find
on the openssh website and that might be useful:
"Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable either
PasswordAuthentication or ChallengeResponseAuthentication."

So maybe try putting PrivilegeSeparation back on and try out all
combinations with those password authentication options (yes/yes,
yes/no, no/no) and see if it generates any queries. What distribution
is this btw? Might be a distro-specific howto out there somewhere.

hope this helps,
Wim


More information about the Techtalk mailing list