[Bug 933810] New: Pam_ssh.so not working on 13.2
http://bugzilla.novell.com/show_bug.cgi?id=933810 Bug ID: 933810 Summary: Pam_ssh.so not working on 13.2 Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: david.westfall@red-inc.us QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- A while back I installed pam_ssh on one of my 13.1 computers to test it out, git it working. After a in-place upgrad to 13.2 pam_ssh is no longer working. I installed pam_ssh on another 13.1 computer today to make sure that I was doing it correctly, and it is still working on 13.1. pam-config -a --ssh I turned on debugging for pam_ssh and here is what I see in my log. 2015-06-05T14:05:47.631787-04:00 Havoc pam_ssh[2538]: init authentication module 2015-06-05T14:05:47.632338-04:00 Havoc pam_ssh[2538]: No SSH login-keys directory. 2015-06-05T14:05:47.632681-04:00 Havoc pam_ssh[2538]: Grabbing password from preceding auth module. 2015-06-05T14:05:47.633026-04:00 Havoc pam_ssh[2538]: Trying previous password for SSH keys. 2015-06-05T14:05:47.633354-04:00 Havoc pam_ssh[2538]: No preceding password. 2015-06-05T14:05:47.644826-04:00 Havoc kdm: :0[2538]: pam_unix(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root Dave W -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=933810
Martin Pluskal
http://bugzilla.novell.com/show_bug.cgi?id=933810
Martin Pluskal
http://bugzilla.novell.com/show_bug.cgi?id=933810
Wolfgang Rosenauer
http://bugzilla.novell.com/show_bug.cgi?id=933810
--- Comment #2 from David Westfall
http://bugzilla.novell.com/show_bug.cgi?id=933810
--- Comment #3 from Wolfgang Rosenauer
I do not know why the default location for pam_ssh has been changed. You would think that it would use the same default as ssh-keygen, ssh-sdd and ssh.
It was a design decision of the upstream developers (including myself). Mainly because it gives much more flexibility which keys are allowed to grant login and which ones should be added to the session. The keyfiles option was not appropriate to cope with the flexibility users wanted to have. E.g. I have ssh keys for dedicated purposes which do not match the "default" of ssh-add or ssh-keygen. So now there is a way to use resp. unlock them in the session as well.
The man page for pam_ssh does not say anything about needing a session-keys.d directory. In fact it is kinda of old:
AUTHORS Andrew J. Korty
wrote pam_ssh. Dag-Erling Smorgrav wrote the original OpenPAM support code. Mark R V Murray wrote the original ver- sion of this manual page. BSD November 26, 2001 BSD
Strange, the man page from 13.1 also dated in 2001 has keyfile argument, 13.2 does not.
Because the option has been dropped.
So, if pam_ssh has changed the default location, then the documentation does not show it. So why has the default location been changed from where everything else is expecting it?
About the "why" see above. I can quote some things from the latest man page of the version 2.1 which is not in 13.2 yet with a date of March 8, 2015: for login: " The user's SSH login keys must be either located or symbolically linked into the per-user dedicated folder ~/.ssh/login-keys.d/ in the user's home directory. " for session: " The traditional SSH keys ~/.ssh/identity, ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, and ~/.ssh/id_ed25519 are considered as the default SSH session keys. Nonetheless, extra user SSH session keys can be either located or symbolically linked into the per-user dedicated folder ~/.ssh/session-keys.d/ in the user's home directory. " -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=933810
Wolfgang Rosenauer
http://bugzilla.novell.com/show_bug.cgi?id=933810
--- Comment #5 from David Westfall
http://bugzilla.novell.com/show_bug.cgi?id=933810
Wolfgang Rosenauer
So bug one, PAM_SSH does not use the same default location as all other SSH programs.
This does not cover all required configuration options. Good if the limited set of configuration options would be enough for you. It's not for me and others. NOTABUG
Bug two PAM_SSH documentation does not match program functionality.
Indeed a bug in the upstream release 2.0. This was fixed in upstream 2.01: Version 2.01 released ===================== 2014-05-24 Wolfgang Rosenauer * changelog format cleanup * pam_ssh.1: updated man page to reflect the current implementation If this bug deserves an update package is something for the package maintainer to evaluate. Therefore let me reopen and see if an update is feasible. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=933810
--- Comment #8 from Bernhard Wiedemann
http://bugzilla.novell.com/show_bug.cgi?id=933810
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=933810
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=933810
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=933810
http://bugzilla.novell.com/show_bug.cgi?id=933810#c9
--- Comment #9 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com