X2Go Bug report logs - #966
x2goclient SSH fails with keyboard-interactive + banner

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Andrew Cherry <acherry@alcf.anl.gov>

Date: Fri, 20 Nov 2015 17:05:02 UTC

Severity: normal

Tags: pending

Found in version 4.0.5.1

Fixed in version 4.1.1.0

Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log


Message #30 received at 966@bugs.x2go.org (full text, mbox, reply):

Received: (at 966) by bugs.x2go.org; 1 Sep 2017 06:13:51 +0000
From ionic@ionic.de  Fri Sep  1 08:13:45 2017
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.1
Received: from localhost (localhost [127.0.0.1])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id DE9295DACF
	for <966@bugs.x2go.org>; Fri,  1 Sep 2017 08:13:44 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de
Received: from ymir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id iiBlWJ87K69V for <966@bugs.x2go.org>;
	Fri,  1 Sep 2017 08:13:40 +0200 (CEST)
Received: from Root24.de (powered.by.root24.eu [5.135.3.88])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id EDC365DA8C
	for <966@bugs.x2go.org>; Fri,  1 Sep 2017 08:13:39 +0200 (CEST)
Received: from [10.20.16.17] (178.162.222.163.adsl.inet-telecom.org [178.162.222.163])
	by mail.ionic.de (Postfix) with ESMTPSA id 6AC784F003CA;
	Fri,  1 Sep 2017 08:13:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ionic.de; s=default;
	t=1504246419; bh=TqAUXYEtd9RbirBPUsDpTENATDsI1DkED7vqGjo5v7k=;
	h=Subject:To:References:From:Date:In-Reply-To:From;
	b=ZqeSOMsrFpX5SSzdTsgCPDIy5ch1gYVLECUyOQsvKaada6ywWcZMd6+9RWnO6jnDE
	 QuIAAtAP8WnKZ+WTdh0eK8Drj+arhYE//+VehzeDK+2xEi3uivp9zB5hslN0zduwPU
	 3yOPwIWYEV+Pb+rvGiPiR/nrZSCvLHRzWf0KvWgU=
Subject: Re: [X2Go-Dev] Banner issue update
To: "Cherry, Andrew J." <acherry@alcf.anl.gov>, 966@bugs.x2go.org
References: <F6769B3D-89EA-4E1B-831A-84EBBB985A96@anl.gov>
 <387FE67D-CA29-41C0-90FE-2CE278CF232B@anl.gov>
 <81B6606D-C01B-4835-84F4-3736504FA62D@anl.gov>
From: Mihai Moldovan <ionic@ionic.de>
Message-ID: <4c4f7729-0dfc-dbd3-753d-3dc45264c446@ionic.de>
Date: Fri, 1 Sep 2017 08:13:38 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <81B6606D-C01B-4835-84F4-3736504FA62D@anl.gov>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="iBVntp4PFfqF2uMXq2VIeSwHfKVPslW4M"
[Message part 1 (text/plain, inline)]
On 08/30/2017 04:10 AM, Cherry, Andrew J. wrote:
> I did some more experimentation, and it looks like the following specific
> conditions are needed to reproduce the problem we're having:
> 
> 1. Banner configured in /etc/pam.d/sshd using pam_echo.so, e.g.:
> 
> auth optional pam_echo.so file=/etc/issue.net
> 
> 2. The following config changes in sshd_config:
> 
> ChallengeResponseAuthentication yes PasswordAuthentication no

This sort of makes sense.

If challenge response auth is turned on and normal password authentication is
turned off, X2Go Client expects a certain challenge response string to come up.
If none of the built-in strings match, authentication is marked as failed, since
it cannot proceed with password authentication (i.e., the keyboard-interactive
method.)

The patch you initially provided merely ignores whatever data comes first and
then matches on the password prompt.


Am I correct that in any case challenge auth is being used?


The problem certainly is that pam_echo.so outputs data before the prompt.

I'm reluctant to apply your patch, since I'm not sure that this is actually good
practice. Allowing arbitrary data before the password prompt doesn't make a lot
of sense to me, although I could probably do that.

We have a set of hardcoded prompts that are recognized as challenge auth
prompts, namely these listed here:
https://code.x2go.org/gitweb?p=x2goclient.git;a=blob;f=src/sshmasterconnection.cpp;h=0556299002e6402e332efe478d8ec7f83ab0ac57;hb=HEAD#l59


The requirement is that challenge auth prompts either contain *challenge* or
that they *start* with the known prompts.

Maybe it would make sense to check each consecutive *line* explicitly?

Would that make sense to you? I guess that would fix your problem.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Mar 29 10:59:04 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.