On Fri, Aug 14, 2020 at 07:50:31AM -0000, Ben Aveling via FreeIPA-users wrote: > This is weird. > > If /etc/sshd_config contains: > PermitEmptyPasswords yes > > Then ssh to the host fails, sort of. > > As soon as the ssh command executes, "authentication failure" appears in > /var/log/secure > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh > ruser= rhost=localhost user=test6f > > But ssh doesn't get disconnected straight away. > > First you get prompted for a password. > > If you enter the correct password, then you get disconnected. > > e.g. > > $ ssh test6f@localhost > Password: > Write failed: Broken pipe > > > Aug 14 17:44:38 centos25 sshd[4505]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f > Aug 14 17:44:38 centos25 sshd[4505]: pam_sss(sshd:auth): received for user > test6f: 7 (Authentication failure) > Aug 14 17:44:51 centos25 sshd[4508]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f > Aug 14 17:44:51 centos25 sshd[4505]: Accepted keyboard-interactive/pam for > test6f from ::1 port 47542 ssh2 > Aug 14 17:44:51 centos25 sshd[4505]: fatal: PAM: pam_setcred(): Failure > setting user credentials > > > > If you enter a wrong password three times (or no password at all), then the > prompt changes, and if you now enter a password, it succeeds. > > $ ssh test6f@localhost > Password: > Password: > Password: > test6f@localhost's password: > Last failed login: Fri Aug 14 17:32:00 AEST 2020 from localhost on ssh:notty > There were 3 failed login attempts since the last successful login. > Last login: Fri Aug 14 17:31:11 2020 from localhost > > Aug 14 17:47:47 centos25 sshd[4516]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f > Aug 14 17:47:47 centos25 sshd[4516]: pam_sss(sshd:auth): received for user > test6f: 7 (Authentication failure) > Aug 14 17:47:48 centos25 sshd[4519]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f > Aug 14 17:47:48 centos25 sshd[4519]: pam_sss(sshd:auth): received for user > test6f: 7 (Authentication failure) > Aug 14 17:47:48 centos25 sshd[4516]: error: PAM: Authentication failure for > test6f from localhost > Aug 14 17:47:49 centos25 sshd[4521]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f > Aug 14 17:47:49 centos25 sshd[4521]: pam_sss(sshd:auth): received for user > test6f: 7 (Authentication failure) > Aug 14 17:47:49 centos25 sshd[4516]: error: PAM: Authentication failure for > test6f from localhost > Aug 14 17:47:49 centos25 sshd[4523]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f > Aug 14 17:47:49 centos25 sshd[4523]: pam_sss(sshd:auth): received for user > test6f: 7 (Authentication failure) > Aug 14 17:47:49 centos25 sshd[4516]: error: PAM: Authentication failure for > test6f from localhost > Aug 14 17:47:49 centos25 sshd[4516]: Failed keyboard-interactive/pam for > test6f from ::1 port 47555 ssh2 > Aug 14 17:47:52 centos25 sshd[4516]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f > Aug 14 17:47:52 centos25 sshd[4516]: Accepted password for test6f from ::1 > port 47555 ssh2 > Aug 14 17:47:52 centos25 sshd[4516]: pam_unix(sshd:session): session opened > for user test6f by (uid=0) > > > > This behaviour doesn't happen if ipa-client is not installed, or if it is > uninstalled.
Hi, I guess you have 'PasswordAuthentication yes' in your default sshd_config and ipa-client-install adds 'ChallengeResponseAuthentication yes'. It looks the ChallengeResponseAuthentication is always tried first and then PasswordAuthentication. If I understand it correctly PermitEmptyPasswords is expected to only work properly with PasswordAuthentication. So I guess setting 'ChallengeResponseAuthentication no' might help in your environment if you really need PermitEmptyPasswords. Please note that some FreeIPA features like e.g. special prompting for multi-factor authentication will only work if 'ChallengeResponseAuthentication yes' is set. HTH bye, Sumit > > This behaviour seems to be the same for an IPA user or for a local user > > This behaviour doesn't happen if PermitEmptyPasswords is no, which is the > default, and a sensible default, and I don't know why anyone set it to > something different, but they did, and this was the resulting behaviour, and > I tell you, it took a bit of tracking down to work out what was happening. > > Without knowing more about why this happens, or what it would take to change > it, I'm not sure that this is a bug, or if it is a bug, if it is a but that > is worth fixing. But I just thought I'd report it and let you decide if you > want to do anything with it. > > Regards, Ben > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
