This is weird. If /etc/sshd_config contains: PermitEmptyPasswords yes
Then ssh to the host fails, sort of. As soon as the ssh command executes, "authentication failure" appears in /var/log/secure pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f But ssh doesn't get disconnected straight away. First you get prompted for a password. If you enter the correct password, then you get disconnected. e.g. $ ssh test6f@localhost Password: Write failed: Broken pipe Aug 14 17:44:38 centos25 sshd[4505]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f Aug 14 17:44:38 centos25 sshd[4505]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure) Aug 14 17:44:51 centos25 sshd[4508]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f Aug 14 17:44:51 centos25 sshd[4505]: Accepted keyboard-interactive/pam for test6f from ::1 port 47542 ssh2 Aug 14 17:44:51 centos25 sshd[4505]: fatal: PAM: pam_setcred(): Failure setting user credentials If you enter a wrong password three times (or no password at all), then the prompt changes, and if you now enter a password, it succeeds. $ ssh test6f@localhost Password: Password: Password: test6f@localhost's password: Last failed login: Fri Aug 14 17:32:00 AEST 2020 from localhost on ssh:notty There were 3 failed login attempts since the last successful login. Last login: Fri Aug 14 17:31:11 2020 from localhost Aug 14 17:47:47 centos25 sshd[4516]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f Aug 14 17:47:47 centos25 sshd[4516]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure) Aug 14 17:47:48 centos25 sshd[4519]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f Aug 14 17:47:48 centos25 sshd[4519]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure) Aug 14 17:47:48 centos25 sshd[4516]: error: PAM: Authentication failure for test6f from localhost Aug 14 17:47:49 centos25 sshd[4521]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f Aug 14 17:47:49 centos25 sshd[4521]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure) Aug 14 17:47:49 centos25 sshd[4516]: error: PAM: Authentication failure for test6f from localhost Aug 14 17:47:49 centos25 sshd[4523]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f Aug 14 17:47:49 centos25 sshd[4523]: pam_sss(sshd:auth): received for user test6f: 7 (Authentication failure) Aug 14 17:47:49 centos25 sshd[4516]: error: PAM: Authentication failure for test6f from localhost Aug 14 17:47:49 centos25 sshd[4516]: Failed keyboard-interactive/pam for test6f from ::1 port 47555 ssh2 Aug 14 17:47:52 centos25 sshd[4516]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=test6f Aug 14 17:47:52 centos25 sshd[4516]: Accepted password for test6f from ::1 port 47555 ssh2 Aug 14 17:47:52 centos25 sshd[4516]: pam_unix(sshd:session): session opened for user test6f by (uid=0) This behaviour doesn't happen if ipa-client is not installed, or if it is uninstalled. This behaviour seems to be the same for an IPA user or for a local user This behaviour doesn't happen if PermitEmptyPasswords is no, which is the default, and a sensible default, and I don't know why anyone set it to something different, but they did, and this was the resulting behaviour, and I tell you, it took a bit of tracking down to work out what was happening. Without knowing more about why this happens, or what it would take to change it, I'm not sure that this is a bug, or if it is a bug, if it is a but that is worth fixing. But I just thought I'd report it and let you decide if you want to do anything with it. Regards, Ben _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
