From unknown Thu Mar 28 13:06:18 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#966: Banner issue update Reply-To: "Cherry, Andrew J." , 966@bugs.x2go.org Resent-From: "Cherry, Andrew J." Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 30 Aug 2017 02:15:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 966 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: Received: via spool by 966-submit@bugs.x2go.org id=B966.150405904724660 (code B ref 966); Wed, 30 Aug 2017 02:15:02 +0000 Received: (at 966) by bugs.x2go.org; 30 Aug 2017 02:10:47 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_MED,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 0BDC45DACF for <966@bugs.x2go.org>; Wed, 30 Aug 2017 04:10:40 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqTa2CRJt039 for <966@bugs.x2go.org>; Wed, 30 Aug 2017 04:10:31 +0200 (CEST) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id DE32C5DA8C for <966@bugs.x2go.org>; Wed, 30 Aug 2017 04:10:29 +0200 (CEST) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailrelay.anl.gov (Postfix) with ESMTPS id 169B720002A for <966@bugs.x2go.org>; Tue, 29 Aug 2017 21:10:27 -0500 (CDT) X-IronPort-AV: E=Sophos;i="5.41,446,1498539600"; d="scan'208";a="164315322" Received: from hybrid-george.anl.gov (HELO GEORGE.anl.gov) ([146.137.81.15]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Aug 2017 21:10:27 -0500 Received: from gcc01-CY1-obe.outbound.protection.outlook.com (23.103.198.19) by hybridexchange.anl.gov (146.137.81.15) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 29 Aug 2017 21:10:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ArgonneDOE.onmicrosoft.com; s=selector1-alcf-anl-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sCJ3ayTGMIf6Gy4eJZvus1zKJdZY3fWXYgaSFFSnSA8=; b=Fp5AmgJxheWIjx4BRcGNXvOB+J7QLowSW/Z+OJcqTF+AIntM5Om/IaeV/NoYoFdgS8Q4oQ1PEL5dAJcyYxRihr4GBX2+Y45e77ohUhM7kjqaB7L7j3EhREZnDo45GpSyjMWKPtFIy6ICzbIeKeCW/YNZrrI+5ps/9GiJWcuhNIM= Received: from BN3PR09MB0401.namprd09.prod.outlook.com (10.160.115.21) by BN3PR09MB0401.namprd09.prod.outlook.com (10.160.115.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.10; Wed, 30 Aug 2017 02:10:25 +0000 Received: from BN3PR09MB0401.namprd09.prod.outlook.com ([10.160.115.21]) by BN3PR09MB0401.namprd09.prod.outlook.com ([10.160.115.21]) with mapi id 15.20.0013.011; Wed, 30 Aug 2017 02:10:24 +0000 From: "Cherry, Andrew J." To: "966@bugs.x2go.org" <966@bugs.x2go.org> CC: "Cherry, Andrew J." Thread-Topic: Banner issue update Thread-Index: AQHTIOcnC+zZDSSdW0K4gis9YcoQCaKbxfwAgABie4A= Date: Wed, 30 Aug 2017 02:10:24 +0000 Message-ID: <81B6606D-C01B-4835-84F4-3736504FA62D@anl.gov> References: <387FE67D-CA29-41C0-90FE-2CE278CF232B@anl.gov> In-Reply-To: <387FE67D-CA29-41C0-90FE-2CE278CF232B@anl.gov> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=acherry@alcf.anl.gov; x-originating-ip: [69.141.60.239] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN3PR09MB0401;20:vfLCLew9W6Ai3zHYbggpiJs04EbAUZpr7aYMdv60t2ZpIwQnVnoGiEbrNYrTcJguEsr4awlf68+2a1PQKtxiDsLmyCbYD1KMpMx8A5IAYusetA76y1xtxz44SSMdf1YkaVc7pohQk0JUqcZpl79bXzLsUKu9OaJhLR4YMpOHxbQ= x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR; x-forefront-antispam-report: SFV:SKI;SCL:-1;SFV:NSPM;SFS:(10009020)(6009001)(199003)(377454003)(189002)(24454002)(551544002)(81166006)(81156014)(8676002)(14454004)(97736004)(7116003)(2900100001)(3480700004)(5660300001)(8936002)(50986999)(83716003)(54356999)(76176999)(86362001)(68736007)(101416001)(189998001)(53546010)(2501003)(6116002)(3846002)(102836003)(36756003)(9686003)(478600001)(99286003)(15650500001)(2906002)(66066001)(3660700001)(53936002)(3280700002)(110136004)(6246003)(2950100002)(42882006)(6916009)(5640700003)(4326008)(6512007)(6506006)(6486002)(77096006)(6436002)(305945005)(7736002)(82746002)(33656002)(106356001)(2351001)(105586002)(25786009)(229853002);DIR:OUT;SFP:1101;SCL:1;SRVR:BN3PR09MB0401;H:BN3PR09MB0401.namprd09.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; x-ms-office365-filtering-correlation-id: e7417770-c5ee-4d60-e9fb-08d4ef4c4676 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BN3PR09MB0401; x-ms-traffictypediagnostic: BN3PR09MB0401: x-exchange-antispam-report-test: UriScan:(192374486261705); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6041248)(20161123558100)(20161123564025)(20161123560025)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN3PR09MB0401;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN3PR09MB0401; x-forefront-prvs: 041517DFAB received-spf: None (protection.outlook.com: alcf.anl.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2017 02:10:24.2646 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 0cfca185-25f7-49e3-8ae7-704d5326e285 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR09MB0401 X-OriginatorOrg: alcf.anl.gov I did some more experimentation, and it looks like the following specific c= onditions are needed to reproduce the problem we're having: 1. Banner configured in /etc/pam.d/sshd using pam_echo.so, e.g.: auth optional pam_echo.so file=3D/etc/issue.net 2. The following config changes in sshd_config: ChallengeResponseAuthentication yes PasswordAuthentication no > On Aug 29, 2017, at 4:17 PM, Cherry, Andrew J. wro= te: >=20 > One more note about reproducing this -- I've found that pam_echo.so only = prints the banner *before* the password prompt if sshd is configured with "= ChallengeResponseAuthentication yes" (which we happen to have due to our Cr= yptoCard token usage). >=20 > -Andrew >=20 >> On Aug 29, 2017, at 12:52 PM, Cherry, Andrew J. w= rote: >>=20 >> I've done some additional testing, prompted by your mention of the banne= r being configured using the Banner option in sshd_config. It turns out we= are *not* using the sshd config option -- instead, we are displaying the b= anner using the pam_echo module, configured with the following line in /etc= /pam.d/sshd: >>=20 >> auth optional pam_echo.so file=3D/etc/issue.net >>=20 >> What I've found so far is that the same /etc/issue.net plays nice with x= 2go when configured via the Banner option, but causes an auth failure when = configured using pam_echo.so. >>=20 >> I'm going to do some more digging to see if I can figure out what the di= fference is. Oddly, if I cut/paste the output from the OpenSSH client (on = Linux) up to and including the Password: prompt, and do a diff between the = two, they are byte-for-byte identical. >>=20 >> By the way, the reason we use pam_echo.so instead of the Banner option i= s because we actually have two banners -- /etc/issue/net for the standard s= ecurity boilerplate which is always displayed, and /etc/issue.alcf which is= normally empty but is populated with information during our scheduled main= tenance windows when logins are disabled. However, I've confirmed that the= problem still occurs even if I configure pam_echo.so to only display /etc/= issue.net >>=20 >> -Andrew >>=20 >=20