I did some more experimentation, and it looks like the following specific conditions are needed to reproduce the problem we're having:
1. Banner configured in /etc/pam.d/sshd using pam_echo.so, e.g.: auth optional pam_echo.so file=/etc/issue.net 2. The following config changes in sshd_config: ChallengeResponseAuthentication yes PasswordAuthentication no > On Aug 29, 2017, at 4:17 PM, Cherry, Andrew J. <[email protected]> wrote: > > One more note about reproducing this -- I've found that pam_echo.so only > prints the banner *before* the password prompt if sshd is configured with > "ChallengeResponseAuthentication yes" (which we happen to have due to our > CryptoCard token usage). > > -Andrew > >> On Aug 29, 2017, at 12:52 PM, Cherry, Andrew J. <[email protected]> wrote: >> >> I've done some additional testing, prompted by your mention of the banner >> being configured using the Banner option in sshd_config. It turns out we >> are *not* using the sshd config option -- instead, we are displaying the >> banner using the pam_echo module, configured with the following line in >> /etc/pam.d/sshd: >> >> auth optional pam_echo.so file=/etc/issue.net >> >> What I've found so far is that the same /etc/issue.net plays nice with x2go >> when configured via the Banner option, but causes an auth failure when >> configured using pam_echo.so. >> >> I'm going to do some more digging to see if I can figure out what the >> difference is. Oddly, if I cut/paste the output from the OpenSSH client (on >> Linux) up to and including the Password: prompt, and do a diff between the >> two, they are byte-for-byte identical. >> >> By the way, the reason we use pam_echo.so instead of the Banner option is >> because we actually have two banners -- /etc/issue/net for the standard >> security boilerplate which is always displayed, and /etc/issue.alcf which is >> normally empty but is populated with information during our scheduled >> maintenance windows when logins are disabled. However, I've confirmed that >> the problem still occurs even if I configure pam_echo.so to only display >> /etc/issue.net >> >> -Andrew >> > _______________________________________________ x2go-dev mailing list [email protected] https://lists.x2go.org/listinfo/x2go-dev
