[Bug 221233] New: ssh login on a Beta2plus does not work
https://bugzilla.novell.com/show_bug.cgi?id=221233 Summary: ssh login on a Beta2plus does not work Product: openSUSE 10.2 Version: Beta 2 plus Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: fs@novell.com QAContact: qa@suse.de Logging in from a machine (used a 10.1 system) to a remote machine with 10.2 Beta2plus results in Permission denied (publickey,keyboard-interactive) It works the other way round - I can login from the Beta2plus machine to the one with 10.1 installed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 aj@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |anicka@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |fs@novell.com ------- Comment #1 from anicka@novell.com 2006-11-15 06:26 MST ------- Please attach ssh -vvv verbose output and sshd debug output. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 fs@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|fs@novell.com | Resolution| |INVALID ------- Comment #2 from fs@novell.com 2006-11-15 07:19 MST ------- Sorry - my fault. I tried to login as a user that did not exist (I ignored the fact that YP was not configured). ;-(( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Status|RESOLVED |REOPENED Resolution|INVALID | Summary|ssh login on a Beta2plus |VUL-0: remote can detect if user exists or not |does not work |on ssh ------- Comment #3 from meissner@novell.com 2006-11-15 12:17 MST ------- but there is change in behaviour for existing and non existing users. - existing users: ask 3 times for password - non existing users: do not ask for password, just return failure this seems fallout from the 4.5 release. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #4 from meissner@novell.com 2006-11-16 04:12 MST ------- Date: Thu, 16 Nov 2006 12:09:45 +0100 From: Anna Bernathova <anicka@suse.cz> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1b2) Gecko/20060822 SUSE/1.99.1-5 +Thunderbird/2.0a1 Mnenhy/0.7.4.666 To: Marcus Meissner <meissner@suse.de> Subject: Re: security bug in security fix for openssh Hello, the whole situation is even more strange: First of all, my security patch does not have anything to do with a problem. Even vanilla openssh-4.4p1 or 4.5p1 behave equally wrong when compiled for 10.2 - I tested both. Second, openssh-4.4p1 with all suse patches (including security fix from 4.5) behaves right when compiled for 10.1. It means that problem lies in some ssh dependency. As I am new to this package, I do not have a clue where and I would be glad to get any hint. It also means that my fix for older distributions is correct - QA should probably test it more carefully than I did but at least 10.1 with my security fix is OK. (I am glad to know it - I thought I can be pretty sure that my fix has nothing to do with this problem.) When I did some testing for the first time, I mixed 10.1 and 10.2 binaries (and ran them on 10.1 or 10.2 in chroot) and that is why I got wrong results - I did not realize that problem does not have to lie in openssh code directly. May it be problem of pam or anything else, I do not know... :-( Anicka -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 anicka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |mc@novell.com ------- Comment #5 from anicka@novell.com 2006-11-16 06:06 MST ------- I compiled pam from 10.1 (version 0.99.3) for 10.2. Then I compiled openssh for 10.2 with this pam package. Problem disappeared. I do not know what have changed in pam since 10.1, so I am asking pam maintainer for a help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #6 from lnussel@novell.com 2006-11-16 06:21 MST ------- there have been changes to pam_unix2 so it could be related. e.g. #216817 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #7 from anicka@novell.com 2006-11-16 06:25 MST ------- BTW, I am unable to reproduce this bug on Beta1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|anicka@novell.com |kukuk@novell.com Status|NEEDINFO |NEW Info Provider|mc@novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #8 from mc@novell.com 2006-11-16 06:56 MST ------- Anna: You say openssh with pam from Beta1 works but not with pam of Beta2plus, correct? I can send you the diff if this helps. The changes are very small and I do not think that they cause the problems. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #9 from lnussel@novell.com 2006-11-16 07:35 MST ------- Created an attachment (id=105715) --> (https://bugzilla.novell.com/attachment.cgi?id=105715&action=view) patch it's pam_unix2. Unfortunately Thorsten is on vacation so here is my suggestion to fix it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #12 from mc@novell.com 2006-11-16 08:34 MST ------- submitted to STABLE => fixed -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fmfischer@gmx.net ------- Comment #13 from lnussel@novell.com 2006-11-20 09:02 MST ------- *** Bug 222668 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 kukuk@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Comment #14 from kukuk@novell.com 2006-12-20 05:35 MST ------- To be honest: No, without this patch it is not possible to find out if a user exists or not. You can only find out that this user is not allowed to login. One reason may be that the user does not exist, but this is only one of many. For a lot of other reasons you may wish that users is not able at all to enter their password. Between, that patch is wrong and introduces the security problem it claims to fix. Depending on the application/PAM configuration you will now be asked six times for a password. And this one will really only happen if the account does not exist, in no other cases. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |lnussel@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #15 from mc@novell.com 2007-01-12 04:17 MST ------- Ludwig: please comment on Comment#14 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mc@novell.com |kukuk@novell.com Status|NEEDINFO |NEW Info Provider|lnussel@novell.com | ------- Comment #16 from lnussel@novell.com 2007-01-12 04:59 MST ------- What other conditions lead to pam_unix2 not asking for a password? AFAICS only pam errors and an empty password. When does pam_unix2 ask for the password six times? Due to stacked modules? Anyways, do you have a better solution? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #17 from kukuk@novell.com 2007-01-12 05:12 MST ------- I never wrote that pam_unix2 will not ask for a password, but that the PAM stack does not ask the user at all. For example if you don't wish that root enters the password over a insecure connection. pam_unix2 asks at least two times, but with some applications six times for a password if the user does not exist with your patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #18 from lnussel@novell.com 2007-01-12 07:11 MST ------- I fail to see the problem. The patch just restores the behavior of pam_unix2 1.34, no? Comment from 1.34 source code: /* Get shadow entry. We don't bail out if user does not exists. Ask for an password in this case and bail out then. */ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 ------- Comment #19 from kukuk@novell.com 2007-01-12 07:19 MST ------- (In reply to comment #18)
I fail to see the problem. The patch just restores the behavior of pam_unix2 1.34, no?
No, it does not. The patch is broken. STABLE contains a correct version which "restores" teh behavior of pam_unix2 1.34. But even with that version (as with 1.34 did) you will not always be asked for a password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=221233 kukuk@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Comment #20 from kukuk@novell.com 2007-01-12 07:39 MST ------- Ludwig and I decided this is not important enough for another update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com