[OpenAFS] Solaris 9 official sshd patch breaks pam_afs functioning

Jeff Blaine jblaine@kickflop.net
Tue, 12 Sep 2006 10:38:56 -0400 

Yup.

adm : noodle # strings /usr/lib/ssh/sshd | grep sshd-kbdint
sshd-kbdint
adm : noodle #

Adding lines in /etc/pam.conf for sshd-kbdint solved the
problem.

Thanks!

Douglas E. Engert wrote:
> 
> 
> Jeff Blaine wrote:
> 
>> Has anyone solved this? :(  I'm using OpenAFS 1.4.1.
>>
>> Patch 113273-11 (sshd SPARC) has killed off token-getting via
>> pam_afs.so.1
> 
> 
> We are using OpenSSH on Solaris 9, but Sun's sshd on Solaris 10.
> 
> Did Sun change the pam service names for sshd to do what they did in
> Solaris 10? So sshd is looking for sshd-kbdint, but its not in your 
> pam.conf
> so it is using other?
> 
> You could do a strings on thr sshd to look for sshd-kdbint
> 
>>
>> I'm syslogging *.debug to /var/adm/debug.log and all I get is
>> the following (even with 'debug' as an option to pam_afs.so.1)
>>
>> Sep 12 00:11:12 noodle.domain.com sshd[444]: [ID 800047 auth.info] 
>> Accepted keyboard-interactive for jblaine from 192.168.168.2 port 3995 
>> ssh2
>> ---------------------------------------------------------------------
>> login as: jblaine
>> Using keyboard-interactive authentication.
>> Password:
>> Last login: Mon Sep 11 23:45:06 2006 from 192.168.168.2
>> Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
>> jblaine > tokens
>>
>> Tokens held by the Cache Manager:
>>
>>    --End of list--
>> jblaine >
>> ---------------------------------------------------------------------
>> Running 'sshd -d' shows:
>>
>> ...
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
>> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
>> debug1: dh_gen_key: priv key bits set: 199/384
>> debug1: bits set: 1565/3191
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
>> debug1: bits set: 1617/3191
>> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
>> debug1: newkeys: mode 1
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug1: newkeys: mode 0
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: KEX done
>> debug1: userauth-request for user jblaine service ssh-connection 
>> method none
>> debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
>> Failed none for jblaine from 192.168.168.2 port 3961 ssh2
>> debug1: userauth-request for user jblaine service ssh-connection 
>> method keyboard-interactive
>> debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
>> debug1: keyboard-interactive devs
>> debug1: got 1 responses
>> debug1: PAM conv function returns PAM_SUCCESS
>> Accepted keyboard-interactive for jblaine from 192.168.168.2 port 3961 
>> ssh2
>> debug1: permanently_set_uid: 26560/10
>> debug1: Entering interactive session for SSH2.
>> ...
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>