Package: libpam-ssh Version: 2.01-2 Severity: important
Description of libpam-ssh says: - during authentication, the user types a SSH passphrase and is authenticated if the passphrase successfully decrypts the user's SSH private keys; However, because of the way the module is installed in /etc/pam.d/common-auth, it cannot actually authenticate the user. With the generated configuration (below), if pam_unix (or all of the primary) authentication modules fail, the requisite pam_deny.so will trigger and stop the processing of modules. pam_ssh then never gets a chance to authenticate. Logging in with the correct pam_unix password runs pam_ssh, but if the passphrase for the key is different, the key is never unlocked. pam_ssh also never seems to ask for the passphrase, even if the password given earlier doesn't unlock the key. (regardless of whether use_first_pass, try_first_pass or neither is given) generated /etc/pam.d/common-auth: ------------------------- # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ssh.so use_first_pass # end of pam-auth-update config ------------------------- Examples: User kenny has a key in ~kenny/.ssh/login-keys.d/id_rsa, passphrase is "keysecret". The unix password is "password". trying to login with the unix pw doesn't unlock the key: root@plink:~# ssh kenny@localhost 'ssh-add -l ' kenny@localhost's password: [password] The agent has no identities. trying to login with key passphrase doesn't work at all... root@plink:~# ssh kenny@localhost 'ssh-add -l ' kenny@localhost's password: [keysecret] Permission denied, please try again. however, if the password and key passphrase are the same, the login succeeds and the key is unlocked: root@plink:~# echo "kenny:keysecret" | chpasswd root@plink:~# ssh kenny@localhost 'ssh-add -l ' kenny@localhost's password: [keysecret] 2048 15:5b:72:4a:73:2b:c4:cf:d1:9d:4c:94:a2:d5:36:e6 /home/kenny/.ssh/login-keys.d/id_rsa (RSA) Installing pam_ssh manually in the primary block (as below), results in the behaviour I would have expected. # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ssh.so try_first_pass debug # here's the fallback if no module succeeds auth requisite pam_deny.so # ... -- System Information: Debian Release: 8.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-ssh depends on: ii libc6 2.19-18 ii libpam-runtime 1.1.8-3.1 ii libpam0g 1.1.8-3.1 ii libssl1.0.0 1.0.1k-3 ii multiarch-support 2.19-18 Versions of packages libpam-ssh recommends: pn libpam-tmpdir <none> ii openssh-client [ssh-client] 1:6.7p1-5 libpam-ssh suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
