cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: make test on opensolairs

From: Yang Tse <yangsita_at_gmail.com>
Date: Sat, 14 Jun 2008 04:42:23 +0200

2008/6/13, Aleksandar Lazic wrote:

> RUN: SFTP server failed verification

As Dan has already indicated, that failure simply implies that the
test harness is not capable of running those tests that need the test
harness scp or sftp servers because proper operation of these servers
cannot be verified. It doesn't mean that there is something bad with
libcurl, it simply means that the test harness is not capable yet of
running those servers when Sun SSH is used.

I don't know how interested you would be in trying to fix this
situation or how much spare time you have.

In any case...

The reason behind the curtain that makes the test harness sftp server
fail verification when Sun SSH is used is certainly related with the
settings used by the test harness to run Sun's sshd when only
publickey authentication is desired _or_ with Sun's PAM settings.

The test harness runs Sun's SSH server with a 'generated'
configuration file and attempts to log into it using Sun's SSH sftp
client tool trying to authenticate using exclusively publickey
authentication. The problem is that something is not good enough and
the server denies login even when it has already accepted and
validated the keys which are being used. It seems that PAM somehow
prevents authentication.

You can see this near the end of the SSH server log you posted...

> === Start of file log/sshd.log
> [...]
> debug1: trying public key file
> /export/home/al/download/curl/curl-7.18.2/tests/curl_client_key.pub
> debug1: matching key found: file
> /export/home/al/download/curl/curl-7.18.2/tests/curl_client_key.pub,
> line 1
> Found matching DSA key:
> 56:86:a3:df:08:8d:3f:18:64:0d:1b:52:6e:25:e8:43
> debug1: restore_uid: (unprivileged)
> debug1: ssh_dss_verify: signature correct

So at this point it has the keys validated and accepted, but now it
uses PAM to further authenticate and that is the end of the story.

> debug2: Starting PAM service sshd-pubkey for method publickey
> debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
> Failed publickey for al from 127.0.0.1 port 43132 ssh2
> === End of file log/sshd.log

When running OpenSSH instead of Sun's SSH the test harness uses option
UsePam set to 'no' in curl_sshd_config, but SunSSH lacks this
configuration option for sshd_config.

It is not possible to disable PAM support on SunSSH at runtime. It can
be disabled at build time if the SunSSH package is configured/built
with '--disable-pam', but that obviously disables it permanently.

So the question would be what are we missing that prevents the use of
public key authentication when using PAM enabled Sun's SSH ?

-- 
-=[Yang]=-
Received on 2008-06-14