X2Go Bug report logs - #966
x2goclient SSH fails with keyboard-interactive + banner

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Andrew Cherry <acherry@alcf.anl.gov>

Date: Fri, 20 Nov 2015 17:05:02 UTC

Severity: normal

Tags: pending

Found in version 4.0.5.1

Fixed in version 4.1.1.0

Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#966: Banner issue update
Reply-To: "Cherry, Andrew J." <acherry@alcf.anl.gov>, 966@bugs.x2go.org
Resent-From: "Cherry, Andrew J." <acherry@alcf.anl.gov>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 30 Aug 2017 02:15:02 +0000
Resent-Message-ID: <handler.966.B966.150405904724660@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 966
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: 
Received: via spool by 966-submit@bugs.x2go.org id=B966.150405904724660
          (code B ref 966); Wed, 30 Aug 2017 02:15:02 +0000
Received: (at 966) by bugs.x2go.org; 30 Aug 2017 02:10:47 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_MED,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.1
Received: from localhost (localhost [127.0.0.1])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 0BDC45DACF
	for <966@bugs.x2go.org>; Wed, 30 Aug 2017 04:10:40 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de
Received: from ymir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id SqTa2CRJt039 for <966@bugs.x2go.org>;
	Wed, 30 Aug 2017 04:10:31 +0200 (CEST)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id DE32C5DA8C
	for <966@bugs.x2go.org>; Wed, 30 Aug 2017 04:10:29 +0200 (CEST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mailrelay.anl.gov (Postfix) with ESMTPS id 169B720002A
	for <966@bugs.x2go.org>; Tue, 29 Aug 2017 21:10:27 -0500 (CDT)
X-IronPort-AV: E=Sophos;i="5.41,446,1498539600"; 
   d="scan'208";a="164315322"
Received: from hybrid-george.anl.gov (HELO GEORGE.anl.gov) ([146.137.81.15])
  by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Aug 2017 21:10:27 -0500
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (23.103.198.19)
 by hybridexchange.anl.gov (146.137.81.15) with Microsoft SMTP Server (TLS) id
 14.3.319.2; Tue, 29 Aug 2017 21:10:27 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ArgonneDOE.onmicrosoft.com; s=selector1-alcf-anl-gov;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=sCJ3ayTGMIf6Gy4eJZvus1zKJdZY3fWXYgaSFFSnSA8=;
 b=Fp5AmgJxheWIjx4BRcGNXvOB+J7QLowSW/Z+OJcqTF+AIntM5Om/IaeV/NoYoFdgS8Q4oQ1PEL5dAJcyYxRihr4GBX2+Y45e77ohUhM7kjqaB7L7j3EhREZnDo45GpSyjMWKPtFIy6ICzbIeKeCW/YNZrrI+5ps/9GiJWcuhNIM=
Received: from BN3PR09MB0401.namprd09.prod.outlook.com (10.160.115.21) by
 BN3PR09MB0401.namprd09.prod.outlook.com (10.160.115.21) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.13.10; Wed, 30 Aug 2017 02:10:25 +0000
Received: from BN3PR09MB0401.namprd09.prod.outlook.com ([10.160.115.21]) by
 BN3PR09MB0401.namprd09.prod.outlook.com ([10.160.115.21]) with mapi id
 15.20.0013.011; Wed, 30 Aug 2017 02:10:24 +0000
From: "Cherry, Andrew J." <acherry@alcf.anl.gov>
To: "966@bugs.x2go.org" <966@bugs.x2go.org>
CC: "Cherry, Andrew J." <acherry@alcf.anl.gov>
Thread-Topic: Banner issue update
Thread-Index: AQHTIOcnC+zZDSSdW0K4gis9YcoQCaKbxfwAgABie4A=
Date: Wed, 30 Aug 2017 02:10:24 +0000
Message-ID: <81B6606D-C01B-4835-84F4-3736504FA62D@anl.gov>
References: <F6769B3D-89EA-4E1B-831A-84EBBB985A96@anl.gov>
 <387FE67D-CA29-41C0-90FE-2CE278CF232B@anl.gov>
In-Reply-To: <387FE67D-CA29-41C0-90FE-2CE278CF232B@anl.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=acherry@alcf.anl.gov; 
x-originating-ip: [69.141.60.239]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN3PR09MB0401;20:vfLCLew9W6Ai3zHYbggpiJs04EbAUZpr7aYMdv60t2ZpIwQnVnoGiEbrNYrTcJguEsr4awlf68+2a1PQKtxiDsLmyCbYD1KMpMx8A5IAYusetA76y1xtxz44SSMdf1YkaVc7pohQk0JUqcZpl79bXzLsUKu9OaJhLR4YMpOHxbQ=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR;
x-forefront-antispam-report: SFV:SKI;SCL:-1;SFV:NSPM;SFS:(10009020)(6009001)(199003)(377454003)(189002)(24454002)(551544002)(81166006)(81156014)(8676002)(14454004)(97736004)(7116003)(2900100001)(3480700004)(5660300001)(8936002)(50986999)(83716003)(54356999)(76176999)(86362001)(68736007)(101416001)(189998001)(53546010)(2501003)(6116002)(3846002)(102836003)(36756003)(9686003)(478600001)(99286003)(15650500001)(2906002)(66066001)(3660700001)(53936002)(3280700002)(110136004)(6246003)(2950100002)(42882006)(6916009)(5640700003)(4326008)(6512007)(6506006)(6486002)(77096006)(6436002)(305945005)(7736002)(82746002)(33656002)(106356001)(2351001)(105586002)(25786009)(229853002);DIR:OUT;SFP:1101;SCL:1;SRVR:BN3PR09MB0401;H:BN3PR09MB0401.namprd09.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
x-ms-office365-filtering-correlation-id: e7417770-c5ee-4d60-e9fb-08d4ef4c4676
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BN3PR09MB0401;
x-ms-traffictypediagnostic: BN3PR09MB0401:
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-microsoft-antispam-prvs: <BN3PR09MB04013DD43104812DC7605CB8999C0@BN3PR09MB0401.namprd09.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6041248)(20161123558100)(20161123564025)(20161123560025)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN3PR09MB0401;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN3PR09MB0401;
x-forefront-prvs: 041517DFAB
received-spf: None (protection.outlook.com: alcf.anl.gov does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B2BAED2670077B4C9CE5B289379007EC@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2017 02:10:24.2646
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0cfca185-25f7-49e3-8ae7-704d5326e285
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR09MB0401
X-OriginatorOrg: alcf.anl.gov

I did some more experimentation, and it looks like the following specific conditions are needed to reproduce the problem we're having:

1. Banner configured in /etc/pam.d/sshd using pam_echo.so, e.g.:

   auth optional pam_echo.so file=/etc/issue.net

2. The following config changes in sshd_config:

   ChallengeResponseAuthentication yes
   PasswordAuthentication no

> On Aug 29, 2017, at 4:17 PM, Cherry, Andrew J. <acherry@alcf.anl.gov> wrote:
> 
> One more note about reproducing this -- I've found that pam_echo.so only prints the banner *before* the password prompt if sshd is configured with "ChallengeResponseAuthentication yes" (which we happen to have due to our CryptoCard token usage).
> 
> -Andrew
> 
>> On Aug 29, 2017, at 12:52 PM, Cherry, Andrew J. <acherry@alcf.anl.gov> wrote:
>> 
>> I've done some additional testing, prompted by your mention of the banner being configured using the Banner option in sshd_config.  It turns out we are *not* using the sshd config option -- instead, we are displaying the banner using the pam_echo module, configured with the following line in /etc/pam.d/sshd:
>> 
>> auth        optional    pam_echo.so file=/etc/issue.net
>> 
>> What I've found so far is that the same /etc/issue.net plays nice with x2go when configured via the Banner option, but causes an auth failure when configured using pam_echo.so.
>> 
>> I'm going to do some more digging to see if I can figure out what the difference is.  Oddly, if I cut/paste the output from the OpenSSH client (on Linux) up to and including the Password: prompt, and do a diff between the two, they are byte-for-byte identical.
>> 
>> By the way, the reason we use pam_echo.so instead of the Banner option is because we actually have two banners -- /etc/issue/net for the standard security boilerplate which is always displayed, and /etc/issue.alcf which is normally empty but is populated with information during our scheduled maintenance windows when logins are disabled.  However, I've confirmed that the problem still occurs even if I configure pam_echo.so to only display /etc/issue.net
>> 
>> -Andrew
>> 
>

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Nov 23 13:41:12 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.