Discussion:
Privilege separation user sshd does not exist
Dallas Clement
2007-06-02 18:10:16 UTC
Permalink
'm getting this error when I try to start my cross-compiled OpenSSH sshd
daemon for the first time with privilege separation enabled.

I am using OpenSSH_4.6p1.

I believe I have added a 'sshd' user and group correctly. I can login
just fine as that user:

# login
(none) login: sshd
$
$ whoami
$ sshd

I'm trying to start the daemon as follows so that I can see the debug:

# /sbin/sshd -D -d

The error I am getting is:
Privilege separation user sshd does not exist

The contents of my /etc/group file are as follows:

root::0:root
sshd:x:33:

The contents of my /etc/passwd file are as follows:

root::0:0:Root User:/root:/bin/ash
sshd::501:33:sshd user:/var/empty:/bin/false

Can anyone please help me out?

Thanks!
Dallas Clement
2007-06-04 18:33:38 UTC
Permalink
Hi,
http://www.citi.umich.edu/u/provos/ssh/privsep-faq.html
I would say change this in the config file of ssh daemon
UsePrivilegeSeparation no
Cheers,
Cristian
Sadly, I'm running into other problems when I disable priv sep. If I
From remote host
# ssh -l dallas 172.16.1.34

On the target I see these errors:

debug1: userauth-request for user dallas service ssh-connection method
none
debug1: attempt 0 failures 0
Invalid user dallas from 172.16.1.33
input_userauth_request: invalid user dallas
Failed none for invalid user dallas from 172.16.1.33 port 58128 ssh2

Can OpenSSH function without PAM if I also disable priv sep?

Currently I do not have PAM enabled in my OpenSSH build.

Thanks,
Dallas

p.s. I noticed in a document found on the web the following quote:

"PAM-enabled OpenSSH is known to function with privsep on Linux."

from http://sunfreeware.com/README.privsep
Dallas Clement
2007-06-05 02:21:42 UTC
Permalink
Post by Dallas Clement
'm getting this error when I try to start my cross-compiled OpenSSH sshd
daemon for the first time with privilege separation enabled.
[...]
sshd uses getpwnam() to look up the privsep user, so if that doesn't
work (eg if your nsswitch.conf or equivalent is broken) then you can get
that error regardless of what's in /etc/passwd.
You were sure right! I didn't have any /etc/nsswitch.conf defined at
all, neither did I have any /lib/lib_nss* files either...

Once I added those and also added the following line in my /etc/fstab,
the sshd daemon started to recognize the priv sep user.

However, my ssh login attempts from a remote machine are still failing
for some reason. I know that the user is valid and the password is
valid since I can login locally.

Here is my sshd output:

debug1: userauth-request for user dallas service ssh-connection method
none
debug1: attempt 0 failures 0
Failed none for dallas from 172.16.1.33 port 58494 ssh2
debug1: userath-request for user dallas service ssh-conection method
password
debug1: attempt 1 failure 1
Failed password for dallas from 172.16.1.33

Can you think of anything else I might be doing wrong for the password
authentication to fail?

This is how I configured the OpenSSH build:

./configure --sysconfdir=/etc/ssh --with-zlib=/home/dallas/zlib_install
--with-ssl-dir=/home/dallas/openssl_install
--host=i686-unknown-linux-gnu --with-privsep-user=sshd --with-shadow
--with-md5-passwords CC=i686-unknown-linux-gnu-gcc

Should I not be specifying md5 password?

Thanks a ton for the help!
Darren Tucker
2007-06-05 02:38:04 UTC
Permalink
Dallas Clement wrote:
[...]
Post by Dallas Clement
However, my ssh login attempts from a remote machine are still failing
for some reason. I know that the user is valid and the password is
valid since I can login locally.
debug1: userauth-request for user dallas service ssh-connection method
none
debug1: attempt 0 failures 0
Failed none for dallas from 172.16.1.33 port 58494 ssh2
debug1: userath-request for user dallas service ssh-conection method
password
debug1: attempt 1 failure 1
Failed password for dallas from 172.16.1.33
Can you think of anything else I might be doing wrong for the password
authentication to fail?
Are you using shadow passwords? If so, did configure file getspnam()?
You can add a debug at the bottom of auth-passwd.c:sys_auth_passwd()
before the return to make sure that the encrypted password values are
what you expect.

Also, there might be something earlier in the debug output so take a
close look at it.
Post by Dallas Clement
./configure --sysconfdir=/etc/ssh --with-zlib=/home/dallas/zlib_install
--with-ssl-dir=/home/dallas/openssl_install
--host=i686-unknown-linux-gnu --with-privsep-user=sshd --with-shadow
--with-md5-passwords CC=i686-unknown-linux-gnu-gcc
Should I not be specifying md5 password?
That should be harmless even if you don't use them (it automatically
detects which type is in use since it can vary per account).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Dallas Clement
2007-06-05 03:32:07 UTC
Permalink
[snip]
Post by Darren Tucker
Are you using shadow passwords? If so, did configure file getspnam()?
You can add a debug at the bottom of auth-passwd.c:sys_auth_passwd()
before the return to make sure that the encrypted password values are
what you expect.
Also, there might be something earlier in the debug output so take a
close look at it.
That helped a bunch. The debug helped me to see that the password was
not matching. Lo and behold I had a shadow file defined with a
hand-entered line for this user, even though shadow passwords were not
being used. I cleared this file and I was able to authenticate the user
just fine.

Now I'm having problems with configuring the pty for this user. Can you
give me any tips here?
Darren Tucker
2007-06-05 03:38:00 UTC
Permalink
Dallas Clement wrote:
[...]
Post by Dallas Clement
Now I'm having problems with configuring the pty for this user. Can you
give me any tips here?
Make sure you have /dev/pts mounted (if you have devpts configured in
your kernel) or that you have the pty device nodes in /dev/ (if you
don't have devpts in your kernel). It's been a while since I had to do
the latter, but "cd /dev && ./MAKEDEV pty" will probably do it.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Dallas Clement
2007-06-05 04:45:57 UTC
Permalink
Post by Darren Tucker
[...]
Post by Dallas Clement
Now I'm having problems with configuring the pty for this user. Can you
give me any tips here?
Make sure you have /dev/pts mounted (if you have devpts configured in
your kernel) or that you have the pty device nodes in /dev/ (if you
don't have devpts in your kernel). It's been a while since I had to do
the latter, but "cd /dev && ./MAKEDEV pty" will probably do it.
I've got /dev/pts mounted:

# mount
none on /dev/pts type devpts (rw)

I've also got a pty device defined:

# ls -l dev
crw-rw-rw- 1 root root 2, 0 Jun 5 12:24 ptyp0


But I'm still seeing an error in the sshd log:

error: openpty: No such file or directory

I think I'm awfully close, but there's something else not quite right.
Darren Tucker
2007-06-05 04:56:15 UTC
Permalink
Dallas Clement wrote:
[about missing ptys]
Post by Dallas Clement
# mount
none on /dev/pts type devpts (rw)
# ls -l dev
crw-rw-rw- 1 root root 2, 0 Jun 5 12:24 ptyp0
error: openpty: No such file or directory
You're missing the corresponding pty slave (ttyp0 in this case).

Note that you'll need as many ptys has you have concurrent ssh sessions
(plus other users of ptys).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Dallas Clement
2007-06-05 05:06:26 UTC
Permalink
Post by Darren Tucker
[about missing ptys]
Post by Dallas Clement
# mount
none on /dev/pts type devpts (rw)
# ls -l dev
crw-rw-rw- 1 root root 2, 0 Jun 5 12:24 ptyp0
error: openpty: No such file or directory
You're missing the corresponding pty slave (ttyp0 in this case).
Note that you'll need as many ptys has you have concurrent ssh sessions
(plus other users of ptys).
That was it. Working great now! Thanks so much for all the help!!

Regards,
Dallas
Dallas Clement
2007-06-05 04:35:09 UTC
Permalink
You might need to look at /etc/nsswitch.conf - it may be that your
machine is configured to ignore /etc/passwd and only accept user names
etc from some other source.
Definitely right...got it working after configuring nsswitch.conf and
making sure all the libns_* libs were there.

Thanks for the help.
Darren Tucker
2007-06-04 21:54:55 UTC
Permalink
Post by Dallas Clement
'm getting this error when I try to start my cross-compiled OpenSSH sshd
daemon for the first time with privilege separation enabled.
[...]

sshd uses getpwnam() to look up the privsep user, so if that doesn't
work (eg if your nsswitch.conf or equivalent is broken) then you can get
that error regardless of what's in /etc/passwd.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Loading...