# ssh ppk auth and pam

## ixion

I encountered something that kind of scared me a week or so ago. When I would try to login to my server with a priv/pubkey authentication and mis-typed the passphrase for my private key, it prompts for a password. IIRC, I was able to login with my password from that prompt, even with 'PasswordAuthentication no' in sshd_config! After a little bit of reading it looked like PAM was overriding the sshd_config settings, so I put 'UsePAM no', but couldn't even login with my priv/pubkey setup. So what I've done is set 'ChallengeResponseAuthentication no' and 'UsePAM yes'. This has resolved the prompting for password after incorrectly entering passphrases 3-times, but is this the correct solution? Is there a security risk in doing it this way?

----------

## ixion

opinions, anyone?

----------

## ixion

no comments?

----------

## j-m

Read The Fine Manual and don´t bump every two hours...  :Mad: 

```
man sshd_config
```

----------

## ixion

 *j-m wrote:*   

> Read The Fine Manual and don´t bump every two hours... 
> 
> ```
> man sshd_config
> ```
> ...

 

Posted: Tue Feb 01, 2005 8:08 am

Posted: Thu Feb 03, 2005 8:00 am

Posted: Wed Feb 16, 2005 10:54 am 

Hardly every two hours.

```

     UsePAM  Enables the Pluggable Authentication Module interface.  If set to

             ``yes'' this will enable PAM authentication using

             ChallengeResponseAuthentication and PAM account and session mod-

             ule processing for all authentication types.

             Because PAM challenge-response authentication usually serves an

             equivalent role to password authentication, you should disable

             either PasswordAuthentication or ChallengeResponseAuthentication.

             If UsePAM is enabled, you will not be able to run sshd(8) as a

             non-root user.  The default is ``no''.

```

```

     ChallengeResponseAuthentication

             Specifies whether challenge response authentication is allowed.

             All authentication styles from login.conf(5) are supported.  The

             default is ``yes''.

```

The above from the man page hardly answers my question, as well. I'm asking for opinions, mostly. And I'm wondering why other people can successfully log in with UsePAM=no, and I cannot.

----------

## j-m

This is my working config. Do diff and check. 

```

Port 222

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

#HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

#HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

SyslogFacility AUTH

LogLevel INFO

LoginGraceTime 1m

PermitRootLogin no

#StrictModes yes

#RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys2

RhostsRSAAuthentication no

HostbasedAuthentication no

#IgnoreUserKnownHosts no

IgnoreRhosts yes

PasswordAuthentication no

PermitEmptyPasswords no

AllowGroups sshusers

#AllowUsers

#ChallengeResponseAuthentication yes

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

UsePAM no

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

Subsystem       sftp    /usr/lib/misc/sftp-server

```

----------

## ixion

```

diff sshd_config sshd_config.forums|grep -v '#'

1c1

< Port 22

---

> Port 222

3d2

< ListenAddress 192.168.0.5

9,12c8

< PermitRootLogin yes

---

> PermitRootLogin no

14c10

< AuthorizedKeysFile    .ssh/authorized_keys

---

> AuthorizedKeysFile      .ssh/authorized_keys2

17d12

21c16

---

> AllowGroups sshusers

23,57c18

< 

---

> Subsystem       sftp    /usr/lib/misc/sftp-server 

```

I have restarted sshd, but still same error:

```

Permission denied (publickey,keyboard-interactive).

or

Permission denied (publickey).

```

I also see a lot of this in the syslog during the logins:

```

Feb 16 11:36:21 web1 PAM-env[10960]: Unknown PAM_ITEM: <DISPLAY>

Feb 16 11:36:21 web1 sshd[10960]: PAM pam_putenv: delete non-existent entry; DISPLAY

Feb 16 11:36:21 web1 PAM-env[10960]: Unknown PAM_ITEM: <XAUTHORITY>

Feb 16 11:36:21 web1 sshd[10960]: PAM pam_putenv: delete non-existent entry; XAUTHORITY

Feb 16 11:36:21 web1 sshd(pam_unix)[10960]: session closed for user

```

Thank you for your reply!  :Smile: 

----------

## j-m

OK, check whether you have compiled openssh with the needed flags, maybe best solution would be to remerge with USE="-pam"

As for those errors posted at the end, search bugzilla to find a lots of unsolved reports and a workaround, but they are irrelevant to this problem and only cause harm with X11 forwarding over SSH.

One more idea:

```

cp authorized_keys authorized_keys2

```

 :Question:   :Idea: 

----------

## ixion

understood.

I have in troubleshooting this problem done an emerge on openssh with USE="-pam", but that resulted in the same error as UsePAM=no, except the config option didn't solve the error. Had to re-emerge again with USE="pam".  :Smile: 

edit: I copied the authorized_keys file of the user to authorized_keys2, and chowned it for that user's ownership (user only, root group ownership) but have the same error. :'(

edit2: I do have 'chmod -R 0700 ~/.ssh' for that user per something I read on the BSD forums. Could that be the problem?

----------

## j-m

 *ixion wrote:*   

> 
> 
> edit: I copied the authorized_keys file of the user to authorized_keys2, and chowned it for that user's ownership (user only, root group ownership) but have the same error. :'(
> 
> 

 

Did you change the path in sshd_config as well? 

 *ixion wrote:*   

> 
> 
> edit2: I do have 'chmod -R 0700 ~/.ssh' for that user per something I read on the BSD forums. Could that be the problem?

 

I have 0700 for the directory and 0600 for authorized_keys2

Out of ideas, otherwise.

----------

## ixion

I changed the sshd_config to recognize authorized_keys2, but still nogo. *sigh*, I guess this is just one of those issues I should ignore?  :Wink:  :Surprised: 

----------

## j-m

 *ixion wrote:*   

> I changed the sshd_config to recognize authorized_keys2, but still nogo. *sigh*, I guess this is just one of those issues I should ignore? 

 

Please post your complete config - there must be some error somewhere...  :Mad:   :Crying or Very sad: 

----------

## ixion

 *j-m wrote:*   

>  *ixion wrote:*   I changed the sshd_config to recognize authorized_keys2, but still nogo. *sigh*, I guess this is just one of those issues I should ignore?  
> 
> Please post your complete config - there must be some error somewhere...  

 

I'm sorry for the frustration..  :Sad: 

```

Port 22

Protocol 2

ListenAddress 10.0.0.5

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

SyslogFacility AUTH

LogLevel INFO

LoginGraceTime 1m

PermitRootLogin yes

StrictModes yes

MaxAuthTries 6

RSAAuthentication no

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

RhostsRSAAuthentication no

HostbasedAuthentication no

IgnoreUserKnownHosts yes

IgnoreRhosts yes

PasswordAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication no

UsePAM yes

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UsePrivilegeSeparation yes

PermitUserEnvironment no

Compression yes

ClientAliveInterval 3

ClientAliveCountMax 3

UseDNS yes

PidFile /var/run/sshd.pid

MaxStartups 10

Banner /etc/ssh/banner1

Subsystem       sftp    /usr/lib/misc/sftp-server

```

The above is what I normally use, but I've used the below config as well but to no avail:

```

Port 22

Protocol 2

ListenAddress 10.0.0.5

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

SyslogFacility AUTH

LogLevel INFO

LoginGraceTime 1m

PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#RSAAuthentication no

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

RhostsRSAAuthentication no

HostbasedAuthentication no

#IgnoreUserKnownHosts yes

IgnoreRhosts yes

PasswordAuthentication no

PermitEmptyPasswords no

#ChallengeResponseAuthentication no

UsePAM no

```

My USE:

```

USE="tcpd ssl pam hardened security mysql imap maildir flexresp perl apache exiscan-acl gd gd-external -X -apache2 -gtk -gtk2 -qt -fluxbox -cups -mbox -kde -gnome -sound -arts -alsa -nvidia -gpm -mouse -ipv6"

```

CFLAGS (likely nothing to do with this, but oh well):

```

CFLAGS="-O3 -march=pentium3 -pipe -fomit-frame-pointer"

```

----------

## j-m

Did you try this?

```

UsePAM no

ChallengeResponseAuthentication no

PasswordAuthentication no

```

----------

## ixion

Thank you again for all your help, I very much appreciate it.  :Smile: 

Setting the following resulted in the same error:

```

     PasswordAuthentication no

     PermitEmptyPasswords no

     ChallengeResponseAuthentication no

     UsePAM no

```

Do you think it's something to do with the way I've compiled openssh? This problem I think existed before a reinstall and after. Weird..  :Sad: 

----------

## j-m

 *ixion wrote:*   

> 
> 
> Do you think it's something to do with the way I've compiled openssh? This problem I think existed before a reinstall and after. Weird.. 

 

I don´t know. There must be something wrong because pam is always called regardless of settings.  :Evil or Very Mad: 

Could you try to 

```

mv /etc/pam.d/sshd /etc/pam.d/sshd.orig

/etc/init.d/sshd restart

```

and look at the logs?

 :Question:   :Confused: 

----------

## ixion

done. Here is what I get:

```

sshd_config:

UsePAM=yes

Enter passphrase for key '/home/user1/.ssh/id_dsa': 

Permission denied (publickey).

log:

(nothing shows up)

sshd_config:

UsePAM=no

Permission denied (publickey)

log:

Feb 16 14:18:00 myhost1 sshd[19348]: User user1 not allowed because account is locked

```

That /etc/pam.d/sshd file is interesting. Can I take out the password entry to disable passwords? Or is there anything I can do to it to help this situation?

Cheers!  :Smile: 

----------

## j-m

 *ixion wrote:*   

> 
> 
> ```
> 
> log:
> ...

 

Argh! Account is locked? Where? Duh! What is calling the damned PAM?  :Mad: 

OK, seriously, try to mess with the pam configuration, but I really don´t know. Maybe you should file a bug for this.  :Confused: 

----------

## ixion

I was thinking it was a bug.. going to try to file one, now. So far I'm not very good at filing them, but let's see what happens..  :Wink:  Thanks so much for your help, bro  :Smile: 

Filed: https://bugs.gentoo.org/show_bug.cgi?id=82274  :Smile: 

----------

