Confusion on SSH and PAM
rakhesh at rakhesh.com
Tue Sep 25 04:59:02 PDT 2007
I've spent a fair bit of yesterday and today playing around with this.
Have reached some confusing conclusions.
Here's a snippet from my ''sshd_config'' file:
The idea being that I use Public Key authentication. No password
authentication. Yes to PAM authentication etc (my understanding is that
*if* Public Key auth fails then this is invoked). And root is allowed
login using Key authentication.
Here's the SSHD section for PAM:
auth required pam_nologin.so no_warn
auth required pam_unix.so try_first_pass
account required pam_login_access.so
account required pam_unix.so
session required pam_permit.so
password required pam_unix.so no_warn try_first_pass
Pretty standard config.
As long as I login as root with a key, things work as expected.
However, when I login as root without a key I am prompted for the
password, and even though I enter the password correctly I am prompted
again for a total of 3 times and then it fails.
After a bit of trial and error, I finally figured that setting
''PermitRootLogin yes'' lets root login without a key. So it seems to me
that when I don't use Key authentication, PAM is invoked, and even though
I supply the correct root password I am prompted again and again for a
password coz root login is disallowed by SSHD. Strange, coz I was under
the impression that as far as PAM is concerned I have successfully
authenticated, so shouldn't it have OK-ed me and left SSH to refuse login
with some message? Why ask for the password thrice and then refuse?
I also tried without the ''no_warn'' option in the pam_unix module. That
time I get an error like this after each password input:
pam_unix: pam_sm_authenticate: UNIX authentication refused
Any ideas or nudges in the right direction as to why this is happening?
Looks like I've understood the interaction between SSH and PAM wrong here,
so would appreciate some enlightenment.
More information about the freebsd-questions