current-users: ssh+pam letting me in inappropriately?

Subject: ssh+pam letting me in inappropriately?
To: None <current-users@netbsd.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: current-users
Date: 04/14/2005 23:28:26
This is a multipart MIME message.

--==_Exmh_16917983120
Content-Type: text/plain; charset=us-ascii

I assume I'm doing something wrong, but sshd with PAM enabled let me 
log in with no authentication, when it shouldn't have as best I can 
tell.

This is a system built from today's sources.  I changed a few things in 
sshd_config, to block passwords from being used, to permit X 
forwarding, to permit root login, and to use protocol 2 only.  Per a 
previous discussion about PAM, I deleted this line:

	#auth           required        pam_unix.so     no_warn try_first_pass

from /etc/rc.d/pamd.  When I tried to connect via ssh, I was prompted 
for my RSA key; I just hit return.  (No, I don't have a null 
passphrase.)  It let me in anyway.  This isn't good...

For now, I've disabled PAM.  I assume I'm doing something stupid; am I,
or is there a bug?  I've attached my sshd_config file, my pam.d/sshd
file, and the output of 'ssh -v' showing the problem.


--==_Exmh_16917983120
Content-Type: text/plain ; name="ssh.trace"; charset=us-ascii
Content-Description: ssh.trace
Content-Disposition: attachment; filename="ssh.trace"

$ ssh -v bigboy          
OpenSSH_3.9 NetBSD_Secure_Shell-20050213, OpenSSL 0.9.7f-fips 22 Mar 2005
debug1: Reading configuration data /home/smb/.ssh/config
debug1: Applying options for bigboy
debug1: /home/smb/.ssh/config line 21: Deprecated option "RhostsAuthentication"
debug1: /home/smb/.ssh/config line 54: Deprecated option "RhostsAuthentication"
debug1: Applying options for *
debug1: /home/smb/.ssh/config line 86: Deprecated option "RhostsAuthentication"
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to bigboy [192.168.2.79] port 22.
debug1: Connection established.
debug1: identity file /home/smb/.ssh/id_rsa type 1
debug1: identity file /home/smb/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9 NetBSD_
Secure_Shell-20050213
debug1: match: OpenSSH_3.9 NetBSD_Secure_Shell-20050213 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9 NetBSD_Secure_Shell-20050213
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bigboy' is known and matches the RSA host key.
debug1: Found key in /home/smb/.ssh/known_hosts:124
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/smb/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/smb/.ssh/id_rsa': 
debug1: Offering public key: /home/smb/.ssh/id_dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Thu Apr 14 23:17:54 2005 from 192.168.2.19
NetBSD 3.99.3 (BIGBOY) #0: Thu Apr 14 20:13:49 EDT 2005

Welcome to NetBSD!


--==_Exmh_16917983120
Content-Type: text/plain ; name="sshd"; charset=us-ascii
Content-Description: pam.d-sshd
Content-Disposition: attachment; filename="sshd"

# $NetBSD: sshd,v 1.7 2005/03/17 01:47:18 christos Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth		required	pam_nologin.so	no_warn
auth		sufficient	pam_krb5.so	no_warn try_first_pass
# pam_ssh has potential security risks.  See pam_ssh(8).
#auth		sufficient	pam_ssh.so	no_warn try_first_pass
#auth		required	pam_unix.so	no_warn try_first_pass

# account
account		required	pam_krb5.so
account		required	pam_login_access.so
account		required	pam_unix.so

# session
# pam_ssh has potential security risks.  See pam_ssh(8).
#session	optional	pam_ssh.so
session		required	pam_permit.so

# password
password	sufficient	pam_krb5.so	no_warn try_first_pass
password	required	pam_unix.so	no_warn try_first_pass

--==_Exmh_16917983120
Content-Type: text/plain ; name="sshd_config"; charset=us-ascii
Content-Description: sshd_config
Content-Disposition: attachment; filename="sshd_config"

#	$NetBSD: sshd_config,v 1.21 2005/02/28 02:35:10 christos Exp $
#	$OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

# Slow machines or long keys may require more processing time.
LoginGraceTime 600
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
UsePam no
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server
XAuthLocation	/usr/pkg/xorg/bin/xauth

--==_Exmh_16917983120
Content-Type: text/plain; charset=us-ascii

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

--==_Exmh_16917983120--