Confusion on SSH and PAM

[Christian Baer]

On Tue, 25 Sep 2007 15:56:22 +0400 (GST) Rakhesh Sasidharan wrote:

> Any ideas or nudges in the right direction as to why this is happening? 
> Looks like I've understood the interaction between SSH and PAM wrong here, 
> so would appreciate some enlightenment.

I'm not sure if I can offer any enlightenment here, but you can have my 2
cents. :-)

When you authenticate yourself with you private key, everything works as
you expect. If I understand you correctly, you are confused as to why you
still get prompted for a password when you don't supply a key and then
even the right password doesn't get you in.

This is one of these things with computer logic. :-) You have told the
sshd that a root login vai PAM is not ok, only via private key. PAM is
activated just the same (and probably works for other users). The login
follows a certain order...

1 Ask for username
2 Did we get a key? If not, goto 5
3 Is the key ok? If not, goto 5
4 Let user login, exit authentification
5 Is PAM globally on? If not exit
6 Ask for password
7 Is the password ok? If not goto 6 max 2 times, after that exit
8 Let user login, exit

I know, crappy algorithem that remindes of BASIC a bit. In this case it
should do the job, though. Please forget that the word "goto" exists in
other languages too (even Java). :-)

Your problem seems to be from steps 5 to 7. After the authentification by
key fails, the sshd just goes to the next step, which is the password. For
security reasons, the communication "inside" is a bit brief. PAM only gets
the answer "not authenticated" and because the reason isn't an issue, the
user is asked for the password again. The point is that the sshd just
refuses your login each time, because a password just isn't enough.

I have already made up a little something to put this situation into
another context (access to an underground club for parties) to maybe make
it a little clearer but I think the world has had quite enough of my
little stories aready. :-)

Regards
Chris