[Bug 730851] New: pam: after upgrade to 12.1, can't become root (pam_ssh)
https://bugzilla.novell.com/show_bug.cgi?id=730851 https://bugzilla.novell.com/show_bug.cgi?id=730851#c0 Summary: pam: after upgrade to 12.1, can't become root (pam_ssh) Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jnelson-suse@jamponi.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 After upgrading to 12.1, 'su' and 'sudo' started asking me for my ssh passphrase. Despite being listed as _optional_, it would appear that pam_ssh is *not* functioning correctly. I was unable to become root by way of either 'su -' or 'sudo bash'. jnelson@laptop:~> su - Password: SSH passphrase: su: incorrect password jnelson@laptop:~> The only way I was able to log in was, ironically, by way of 'ssh -l root localhost'. As you can see, pam_ssh is listed as *optional*: laptop:/etc/pam.d # grep ssh * common-auth:auth optional pam_ssh.so common-auth-pc:auth optional pam_ssh.so common-session:session optional pam_ssh.so common-session-pc:session optional pam_ssh.so laptop:/etc/pam.d # I'm not sure if this is a pam-specific thing or pam-ssh or what. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c
Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c1
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c2
Jon Nelson
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c3
--- Comment #3 from Jon Nelson
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c4
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c5
Jon Nelson
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c6
--- Comment #6 from Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c7
--- Comment #7 from Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c8
--- Comment #8 from Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c9
--- Comment #9 from Jon Nelson
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c10
--- Comment #10 from Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c11
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c12
Michael Calmer
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c13
--- Comment #13 from Vitezslav Cizek
The question is, for what is pam_ssh good for?
Is it really an authentication module (I think not), than it can be "sufficient" too.
A lot of people use it for single sign-on like this.
It maybe that the configuration with pam_ssh is not correct. But we cannot put it after the real authentication modules, because they are sufficient.
So I guess we can say it's a bug in pam-config (this configuration was created with pam-config --add --ssh), which adds pam_ssh as optional to both common-auth and common-session. For auth stack, it should be either sufficient or not there at all. Anyway, there's nothing to be fixed on pam_ssh side here. It's more a configuration issue. Michael, unless you want to do something with pam-config about this, I'll close this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c15
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c16
Vitezslav Cizek
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c17
Thorsten Kukuk
I'll submit the change if you like it.
Fine with me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c18
--- Comment #18 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=730851
https://bugzilla.novell.com/show_bug.cgi?id=730851#c19
Vitezslav Cizek
participants (1)
-
bugzilla_noreply@novell.com