Confusion on SSH and PAM

Rakhesh Sasidharan rakhesh at rakhesh.com
Tue Sep 25 04:59:02 PDT 2007 

Hi,

I've spent a fair bit of yesterday and today playing around with this. 
Have reached some confusing conclusions.

Here's a snippet from my ''sshd_config'' file:

----8<-----------
PubkeyAuthentication            yes
ChallengeResponseAuthentication yes
PermitRootLogin                 without-password
PasswordAuthentication          no
UsePAM                          yes
----8<-----------

The idea being that I use Public Key authentication. No password 
authentication. Yes to PAM authentication etc (my understanding is that 
*if* Public Key auth fails then this is invoked). And root is allowed 
login using Key authentication.

Here's the SSHD section for PAM:

----8<-----------
auth      required      pam_nologin.so                  no_warn
auth      required      pam_unix.so                     try_first_pass
account   required      pam_login_access.so
account   required      pam_unix.so
session   required      pam_permit.so
password  required      pam_unix.so                     no_warn try_first_pass
----8<-----------

Pretty standard config.

As long as I login as root with a key, things work as expected.

However, when I login as root without a key I am prompted for the 
password, and even though I enter the password correctly I am prompted 
again for a total of 3 times and then it fails.

After a bit of trial and error, I finally figured that setting 
''PermitRootLogin yes'' lets root login without a key. So it seems to me 
that when I don't use Key authentication, PAM is invoked, and even though 
I supply the correct root password I am prompted again and again for a 
password coz root login is disallowed by SSHD. Strange, coz I was under 
the impression that as far as PAM is concerned I have successfully 
authenticated, so shouldn't it have OK-ed me and left SSH to refuse login 
with some message? Why ask for the password thrice and then refuse?

I also tried without the ''no_warn'' option in the pam_unix module. That 
time I get an error like this after each password input:

----8<-----------
pam_unix: pam_sm_authenticate: UNIX authentication refused
----8<-----------

Any ideas or nudges in the right direction as to why this is happening? 
Looks like I've understood the interaction between SSH and PAM wrong here, 
so would appreciate some enlightenment.

Regards,

 				- Rakhesh
                                 http://rakhesh.net/

More information about the freebsd-questions mailing list