https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c Andreas Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |vcizek@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c2 Jon Nelson changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|jnelson-suse@jamponi.net | --- Comment #2 from Jon Nelson 2011-11-21 13:44:31 UTC --- My root user does not have a passphrase. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c Vitezslav Cizek changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c5 Jon Nelson changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|jnelson-suse@jamponi.net | --- Comment #5 from Jon Nelson 2012-01-10 14:27:29 UTC --- I was able to reproduce it easily. Step 1. Test without ssh: pam-config --delete --ssh As normal user, run 'su -'. Note that it doesn't ask for an SSH passphrase. Step 2. Test with ssh: pam-config --add --ssh As normal user, run 'su -'. Note that it /does/ ask you for an SSH passphrase (after your normal password). Hint enter. Note that it says 'incorrect password'. Example of Step 2's 'su -' output: jnelson@worklaptop:~> su - Password: SSH passphrase: su: incorrect password jnelson@worklaptop:~> NOTE: The root user *DOES NOT* have a $HOME/.ssh directory. Perhaps that makes a difference. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c7 --- Comment #7 from Vitezslav Cizek 2012-01-16 18:08:05 CET --- This looks like it's the expected behaviour. The /etc/pam.d/su-l includes /etc/pam.d/common-auth, which on my machine looks something like this: auth required pam_env.so auth optional pam_gnome_keyring.so auth optional pam_ssh.so debug auth sufficient pam_unix2.so debug auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so What happens is that pam_gnome_keyring asks for a password. (The first "Password:" prompt) Then pam_ssh asks for SSH key password (prompting with "SSH passphrase:") Next is pam_unix2, which by default uses the password from the previous module, in this case from pam_ssh. So it tries to authenticate with the ssh passphrase. And fails. So if you enter your unix password for the second prompt (SSH passphrase:), it lets you through. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c9 --- Comment #9 from Jon Nelson 2012-01-18 02:41:55 UTC --- According to this: http://oss.sgi.com/LDP/HOWTO/User-Authentication-HOWTO/x101.html optional means just that -- whether it succeeds or fails is only important *if* it's the only module listed for it's type (which, in this case, it isn't). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c11 Vitezslav Cizek changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |mc@suse.com --- Comment #11 from Vitezslav Cizek 2012-01-18 12:34:18 CET --- Let's ask pam maintainer. Michael, could you comment on what is happening here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c13 --- Comment #13 from Vitezslav Cizek 2012-02-03 11:38:09 CET --- (In reply to comment #12)

The question is, for what is pam_ssh good for?

Is it really an authentication module (I think not), than it can be "sufficient" too.

A lot of people use it for single sign-on like this.

It maybe that the configuration with pam_ssh is not correct. But we cannot put it after the real authentication modules, because they are sufficient.

So I guess we can say it's a bug in pam-config (this configuration was created with pam-config --add --ssh), which adds pam_ssh as optional to both common-auth and common-session. For auth stack, it should be either sufficient or not there at all. Anyway, there's nothing to be fixed on pam_ssh side here. It's more a configuration issue. Michael, unless you want to do something with pam-config about this, I'll close this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c16 Vitezslav Cizek changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |kukuk@suse.com --- Comment #16 from Vitezslav Cizek 2012-08-08 14:35:57 CEST --- Thorsten, Current pam-config setup adds pam_ssh.so as optional to auth group. So it has to be listed above sufficient modules. The ssh passphrase gets passed to next modules in stack, however if the passphrase is different from the unix password, the authentication fails. (pam_unix2 takes by default the password from a previous module, as does pam_krb5 in our current setup) Therefore I would suggest changing optional to sufficient. If someone wants to enable pam_ssh, he likely wants to use it directly to authenticate (despite it probably not being really a authenticaton module as Michael pointed out) I'll submit the change if you like it. Or do you prefer any other solution? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c18 --- Comment #18 from Bernhard Wiedemann 2012-08-25 18:00:12 CEST --- This is an autogenerated message for OBS integration: This bug (730851) was mentioned in https://build.opensuse.org/request/show/131586 Factory / pam-config -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.