https://bugzilla.mindrot.org/show_bug.cgi?id=2475
Paul Kapp <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #4 from Paul Kapp <[email protected]> --- Adding to this bug, since it seems related (PAM set_cred error seems to match). Likely another set of steps to reproduce. Observed on various platforms with various OpenSSH versions, with server configured with PasswordAuthentication=yes, UsePAM=yes, ChallengeResponseAuthentication=yes. When the client fails password authentication, and progresses to keyboard-interactive (ChallengeResponse), there seems to be some tainted state in the PAM module that causes the server to abruptly drop the transport connection very soon after acknowledging the (successful) authentication. With server configuration options as above (allowing PasswordAuthencation and keyboard-interactive), run "ssh localhost -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password,keyboard-interactive -v " to reproduce. An empty password on the first (password) attempt will not result in reproducing the error, but any non-blank incorrect password that causes the followup keyboard-interactive attempt (using correct password) triggers the failure: --- debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password paul@localhost's password: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: keyboard-interactive Password: debug1: Authentication succeeded (keyboard-interactive). Authenticated to localhost ([::1]:22). debug1: channel 0: new [client-session] debug1: Requesting [email protected] debug1: Entering interactive session. debug1: pledge: network packet_write_wait: Connection to ::1 port 22: Broken pipe --- Also note, reversing the client preferred order (failing the keyboard-interactive attempt, then enter the correct password on the password authentication attempt) does not result in abrupt disconnect. The scenario seems to strictly be a password failed followed by keyboard-interactive success. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
