Re: S/Key authentication fails for ftpd

Fri, 11 Feb 2000 09:29:02 -0800 

> The subject says all ;-). System version: 4.0-20000229-CURRENT (ftpd 6.00LS).
> 
> However, S/Key authentication works for telnet and login. Of course,
> the simple cleartext password authentication method does work for ftpd.
> It looks like a bug in ftpd (or PAM?).

> I log auth.info messages in /var/log/authlog, but there aren't any ftpd or
> PAM messages in that file.
> 
> I also upgraded /etc/pam.conf to version 1.5.
> 
> -- JMA

I'm not sure what is the correct solution, but I think I found
what is happening.

In ftpd.c pass() function, pam authentication is tried before
skey authentication, and if pam auth failed, then it fails
without trying skey authentication.

   #if !defined(NOPAM)
                   rval = auth_pam(&pw, passwd);
                   if (rval >= 0)
                           goto skip;
   #endif
   #ifdef SKEY
                   rval = strcmp(skey_crypt(passwd, pw->pw_passwd, pw, pwok),
                                 pw->pw_passwd);
                   pwok = 0;
   #else
                   rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd);
   #endif
                   /* The strcmp does not catch null passwords! */
                   if (*pw->pw_passwd == '\0' ||
                       (pw->pw_expire && time(NULL) >= pw->pw_expire))
                           rval = 1;       /* failure */
   skip:
                   /*
                    * If rval == 1, the user failed the authentication check
                    * above.  If rval == 0, either PAM or local authentication
                    * succeeded.
                    */
                   if (rval) {
                           reply(530, "Login incorrect.");
                           if (logging)
                                   syslog(LOG_NOTICE,
                                       "FTP LOGIN FAILED FROM %s, %s",
                                       remotehost, curname);



And in /etc/pam.conf version 1.5, ftp seems to be matching the
following entry.

  other   auth    required        pam_unix.so                     try_first_pass

Because pam_unix.so is used for skey authentication, it is
naturally failed.
(In my environment, my old pam.conf don't have the entry, so
the problem didn't happened.)

As far as I confirmed, following trial fixed this situation.

 -Disabled pam authentication in ftpd.c, pass()
 -Or, change the pam.conf entry like below.

-  other   auth    required        pam_unix.so                     try_first_pass
+  other   auth    required        pam_skey.so                     try_first_pass


But I don't think these are real solution.
Maybe,
  -Change ftpd.c user() function to use pam also?
   (I don't know how to do it.)
  -Or, if pam authentication failed in pass() function, then try
   skey authentication?
  -Or else?


Advise from more experts is welcome.

Thanks,
Yoshinobu Inoue


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to