help plz: upgrade OpenSSH 3.6.1p2 to 3.7.1p2 breaks PAM auth

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I upgraded from OpenSSH 3.6.1p2 to 3.7.1p2 on a SuSE Linux 7.2 box, and
now PAM/LDAP authentication (for regular users) doesn't work anymore.
Root (who has an account in /etc/passwd) can still log in fine, though.
This seems *not* to be a problem of the PAM/LDAP setup, as other
services like imap and console login still work file. The sshd_config
file was left unchanged except for adding "UsePAM yes".

I didn't touch /etc/pam.d/sshd, too:

~~~snip here~~~
auth     required       /lib/security/
auth     sufficient     /lib/security/
auth     required       /lib/security/
account  sufficient     /lib/security/
account  required       /lib/security/
password required       /lib/security/    use_cracklib
password required   /lib/security/ use_first_pass use_authtok
password required   /lib/security/ use_first_pass use_authtok
session  required       /lib/security/       none
session  required       /lib/security/
session  required       /lib/security/
~~~snip here~~~

Any ideas how to fix this?


Re: help plz: upgrade OpenSSH 3.6.1p2 to 3.7.1p2 breaks PAM auth

Quoted text here. Click to load it

The PAM code has changed considerably, and now uses challenge-response
authentication rather than password authentication.  (This is because
PAM can do things that can't be crammed into a normal password auth.)

You probably need to also set "PasswordAuthentication no" and
"ChallengeResponseAuthentication yes", and make sure your client can use
keyboard-interactive authentication (SSHv2) or TIS Challenge-Response
authentication (SSHv1).

Site Timeline