SSH Server and Hash algorithms

Discussion in 'Server Security' started by Alex Moen, Jun 5, 2012.

  1. Alex Moen

    Alex Moen New Member

    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    0
    I have a Centos 6.2 server freshly updated. It is authenticating against an Ldap server, and I am having an issue with the hashing algorithms being used by various utilities and servers.

    First of all:

    authconfig --test | grep hashing
    password hashing algorithm is sha512

    However, when I change a password using the passwd command, I see the following:

    smbldap-usershow alexm@domain.com
    dn: uid=alexm@domain.com,ou=domain,o=ndtc
    uid: alexm@domain.com
    cn: Alex M
    mail: alexm@domain.com
    ...
    userPassword: {crypt}$1$kxH/MHL7$.51e8u0CooCalDaXsHSKD/

    Crypt? OK, well, it's a crypt password even though authconfig says it'll be using sha512... But, I can log in using sshd.


    Now, if I change the password using the smbpasswd utility, and rerun the smbldap-usershow command:

    dn: uid=alexm@domain.com,ou=domain,o=ndtc
    uid: alexm@domain.com
    cn: Alex
    mail: alexm@domain.com
    ...
    userPassword: {SSHA}UGRSbhcFL0qLRdj6yWvqRidZPfIiBPYb

    OK, now it's an SSHA (sha512) hash! BUT, I can no longer ssh to the server!

    WTF??? Anyone have any insights into what I am missing here, and more importantly, how I can fix it? I'd obviously rather use SSHA than Crypt...

    TIA!

    Alex
  2. Alex Moen

    Alex Moen New Member

    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    0
    OK, I found the solution...

    I have found, that if I change the pam_password setting in /etc/pam_ldap.conf from md5 to exop, the passwd utility now creates ssha entries; or, rather, the passwd utility tells the LDAP server to create the password entry.

    Unfortunately, I still cannot log in via SSH (pam_unix(sshd:auth): authentication failure; in /var/log/secure).

    Here is what my /etc/pam.d/sshd file looks like:

    auth required pam_sepermit.so
    auth include password-auth
    account required pam_nologin.so
    account include password-auth
    password include password-auth
    # pam_selinux.so close should be the first session rule
    session required pam_selinux.so close
    session required pam_loginuid.so
    # pam_selinux.so open should only be followed by sessions to be executed in the user context
    session required pam_selinux.so open env_params
    session optional pam_keyinit.so force revoke
    session include password-auth

    SSHD is referencing password-auth (which is a link to password-auth-ac) for auth:

    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so

    Nothing about ldap. Nothing. HOWEVER, system-auth-ac DOES have ldap references. In fact, system-auth-ac is exactly the same as password-auth-ac, other than having the ldap entries added. So:

    cp password-auth-ac password-auth-ac.org
    cp system-auth-ac password-auth-ac

    Now I can log in via sshd.

    So, for whatever reason, even though ldap was enabled, it was only partially enabled: for system authentication, but not for "service" authentication.

Share This Page