current-users: Re: ssh+pam letting me in inappropriately?

Subject: Re: ssh+pam letting me in inappropriately?
To: None <current-users@netbsd.org>
From: Christos Zoulas <christos@tac.gw.com>
List: current-users
Date: 04/15/2005 13:10:15

In article <20050415032826.1CDDB3C05D4@berkshire.machshav.com>,
Steven M. Bellovin <smb@cs.columbia.edu> wrote:
>-=-=-=-=-=-
>
>I assume I'm doing something wrong, but sshd with PAM enabled let me 
>log in with no authentication, when it shouldn't have as best I can 
>tell.
>
>This is a system built from today's sources.  I changed a few things in 
>sshd_config, to block passwords from being used, to permit X 
>forwarding, to permit root login, and to use protocol 2 only.  Per a 
>previous discussion about PAM, I deleted this line:
>
>	#auth           required        pam_unix.so     no_warn try_first_pass
>
>from /etc/rc.d/pamd.  When I tried to connect via ssh, I was prompted 
>for my RSA key; I just hit return.  (No, I don't have a null 
>passphrase.)  It let me in anyway.  This isn't good...
>
>For now, I've disabled PAM.  I assume I'm doing something stupid; am I,
>or is there a bug?  I've attached my sshd_config file, my pam.d/sshd
>file, and the output of 'ssh -v' showing the problem.

My output looks like:

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /u/christos/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/u/christos/.ssh/id_rsa': 
debug1: Offering public key: /u/christos/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/u/christos/.ssh/id_dsa': 
debug1: Next authentication method: password
christos@quasar's password: 
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
christos@quasar's password: 
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
christos@quasar's password: 
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).

christos