PDA

View Full Version : LUM allowing users to log in over ssh with wrong password



davidrhodes
22-Jun-2012, 12:53
We use lum on our SLED11 boxes to authenticate to eDirectory, and have noticed that if you do a default installation of SLED11SP2, then set up lum, users authorised to log in to the SLED box can log in over ssh with any password ie, entering no password will fail, but type anything else, even just one character, and you're in.

If you downgrade the openssh package to 5.1p1-41.33.1, this behaviour stops, but if you then upgrade to 5.1p1-41.51.1 or later, it starts again.

If you don't use lum (ie just local accounts) it doesn't happen.

Is anyone else seeing this?

ab
22-Jun-2012, 15:13
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I do not have a system to test right now, but can you compare your
/etc/pam.d/ssh file as you change OpenSSH versions? I'm guessing it
changes somehow helping cause the problem, but it's just a guess. It
may also be that the problem came from LUM and your version change just
replaced a conf file somewhere, but since re-upgrading fixed it I doubt
that is the case. /etc/nsswitch.conf is another file that may be worth
checking out before/after the LUM installation since I believe it is
modified by default, though usually not to allow failed logins.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP5H1yAAoJEF+XTK08PnB55KYQAJKLbzf8vQ Ay1UT3KGd1ZO0a
JBFeXgFYOrqX5dlMvXfj89j/dNVuZQYu3RIHzkCNutabPz5IKlFMIoTFj0OgpYP0
TP+UqMTcSKfi2k+et1xZQFw4uWv4NRXd+yzKA+6XLAtKwh7dZy wg35x54AHou0IU
IfFvA3ldHeKGZErygEEIsGnW1+siQY71ThfbcTsRQhRrZHwYK4 e9nXpXteaKy61k
WQ/v9OOjocEzZ+wptD5c5WgKUKanfxiyCxauhxEuBLnhSrCy878ie mp1XiesA1Ti
p8r1Iq8QBzpZkbvfcVoaRiqfbX5+pQih9MzTvlNUcRG6uYSz9h wsWmZGC6OjXQb3
WJyLI1sXhM2ezUnGhnDw9GpFJ6pT68Jeylym6wRw6tMzznRLSw VJ+yFhQSc7GZgD
OTtGdVD5O0D7zKyabCnQcEnujkDfVy0+WiaXDGo4h+dvmchiLx MmXEHRqJ1IXCiW
fhKVJJvHVI7yi8jiJzWZ3ifUDSUvmDARpOR0mRc/aJNcb8XfMwzzE2lY6aUNKeqN
WjWfMsLGdK7M746x0p417aN8cOGXWmq8s/BcEb1vE4M+4ws/ioDOw/3yoQwbN0Hr
L/GxAMOoEq3V8wZ3Yp2XsRYmcFmLnS5l3Z05uXfBKKARTgMFG62V AK4VmGTbUvdl
QNGPMoBjcXGwgC/ZdBrP
=E/VP
-----END PGP SIGNATURE-----