spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 379
Joined: Fri Dec 26, 2014 11:02 am

New SSH security warning mechanism - feedback wanted!

Fri Jan 27, 2017 10:42 am

As part of the attempts to improve security in Raspbian, in the last image we added a couple of scripts which attempted to check whether someone could connect to a Pi via SSH using the default username and password, and to provide a warning on startup if that was the case.

These were a first attempt at solving this problem, and while they worked ok on default installations, there were various problems with them on installations which had been customised; ironically, they caused the most problems on installations which had already been secured properly...

So we’ve revisited the mechanism used for this in an attempt to address the various problems we have seen reported. The main one was that on a Pi on which passwordless sudo had been disabled, an error resulted whenever the check was made. There were also problems on systems where the “pi” user had been deleted, or where passwords had been locked or enciphered differently from expected, and in most cases this resulted in a false positive; a warning that the system was insecure when it wasn’t.

The new approach is based around a PAM (Pluggable Authentication Module) which checks whether passworded SSH is enabled, and if it is, it makes various checks on the “pi” user password. This has various advantages over the previous script-based approach, chiefly that PAMs run with root privileges so they are able to access the password file irrespective of whether a password is required for sudo. It also means that the password can be checked using a simple call to the standard crypt library, which makes the check a lot faster.

The result of the PAM module is just a status as to whether SSH access is possible with the default password; if it is, a file is created in a subdirectory of /var/lib, which is then checked by the scripts that run on CLI and desktop startup to determine whether to show the warning messages.

This has been tested heavily at Pi Towers, and it seems to work in all the cases where problems were reported before; however, I am fully aware that I can’t check the cases I haven’t thought of yet!

So before we make this available, we’re offering the details of what we have planned for review by anyone who is an expert in authentication, PAMs or security.

The code for the new PAM module is as follows:

Code: Select all

#include <stdio.h>
#include <string.h>
#include <crypt.h>

#include <security/_pam_macros.h>
#include <security/pam_ext.h>

/* Define which PAM interfaces we provide */
#define PAM_SM_SESSION

/* Include PAM headers */
#include <security/pam_appl.h>
#include <security/pam_modules.h>
  
/* PAM entry point for session creation */
PAM_EXTERN int pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
{
	char buf[1024], *salt;
	FILE *fp;

	// default is no warning, so delete the flag file
	system ("if [ -e /var/lib/chksshpwd/sshwarn ] ; then /bin/rm /var/lib/chksshpwd/sshwarn ; fi");

	// is SSH enabled?
	if ((fp = popen ("/usr/bin/pgrep -cx -u root sshd > /dev/null", "r")) == NULL) return PAM_IGNORE;
	if (pclose (fp)) return PAM_IGNORE;

	// is password authentication for SSH enabled?
	if ((fp = popen ("/bin/grep -q '^PasswordAuthentication\\s*no' /etc/ssh/sshd_config", "r")) == NULL) return PAM_IGNORE;
	if (!pclose (fp)) return PAM_IGNORE;

	// get the pi user line from the shadow file
	if ((fp = popen ("/bin/grep ^pi: /etc/shadow", "r")) == NULL) return PAM_IGNORE;
	if (fgets (buf, sizeof (buf) - 1, fp) == NULL)
	{
	    pclose (fp);
	    return PAM_IGNORE;
	}
	if (pclose (fp)) return PAM_IGNORE;

	// check for locked password or password disabled
	if (!strncmp (buf, "pi:$", 4))
	{
		// password file entry as expected - check the password itself
		salt = buf + 3;
		if (strtok (salt, ":") == NULL) return PAM_IGNORE;

		// there is a properly-formatted entry in the shadow file - check the password
		if (!strcmp (salt, crypt ("raspberry", salt)))
		{
			// password match - create the flag file
			fp = fopen ("/var/lib/chksshpwd/sshwarn", "wb");
			fclose (fp);
		}
	}

	return PAM_IGNORE;
}

/* PAM entry point for session cleanup */
PAM_EXTERN int pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
{
	return PAM_IGNORE;
}

#ifdef PAM_STATIC

struct pam_module _pam_chksshpwd_modstruct =
{
	"pam_chksshpwd",
	NULL,
	NULL,
	NULL,
	pam_sm_open_session,
	pam_sm_close_session,
	NULL,
};

#endif
This is added as the pam_chksshpwd module to the PAM common-session configuration as follows:

Code: Select all

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional	pam_systemd.so 
session	optional	pam_chksshpwd.so 
# end of pam-auth-update config
The scripts that run at startup now just check for the presence of the file /var/lib/chksshpwd/sshwarn - if it exists, a warning message is shown.

So, that's what we are planning to do - as I said, in our testing, it seems to work pretty well. Any (constructive) feedback would be very welcome!

epoch1970
Posts: 4244
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: New SSH security warning mechanism - feedback wanted!

Fri Jan 27, 2017 9:52 pm

I'm no expert at all, this is a mere comment --disregard if it doesn't make sense.

/var/is always (on my machines at least) a big directory. If I were to move stuff to an USB drive, perhaps I would try to relocate /var.
USB drives do disconnect; voluntarily, accidentally or inadvertently.
Would the flag be in a safer place in something like /run/chksshpwd/sshwarn?
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6183
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New SSH security warning mechanism - feedback wanted!

Fri Jan 27, 2017 10:02 pm

I'd recommend sticking to FHS. If you have randomly disconnecting /var, you'll have much bigger problems than this mechanism not working.
Actually, /run also looks valid.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 379
Joined: Fri Dec 26, 2014 11:02 am

Re: New SSH security warning mechanism - feedback wanted!

Wed Feb 01, 2017 7:41 pm

Bump...

Anyone? Anyone? (Bueller? Bueller?)

User avatar
DougieLawson
Posts: 37095
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: New SSH security warning mechanism - feedback wanted!

Wed Feb 01, 2017 9:22 pm

I'm planning to look at this when I can find time.

I've got 11 Raspberries where sudo requires the root password. I've got three (brand new ones) where pi still has passwordless sudo ['cos I've not fixed it].
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New SSH security warning mechanism - feedback wanted!

Fri Feb 03, 2017 2:04 pm

Somehow I managed to overlook this thread until yesterday.

I'm by no means an "expert in authentication, PAMs or security", but being one of the people who initially voiced concern with the previous approach, I'll give this a look-over. At first glance, it definitely looks like a vast improvement, thanks for taking the time to address this!

One thing that immediately strikes me as odd is that you handle most things by system() or popen() calls to external binaries instead of calling the relevant library functions directly. Is there a particular reason for that? I'm not sure it's much of a disadvantage security-wise, but it just might be a bit more prone to external tinkering.

User avatar
DougieLawson
Posts: 37095
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: New SSH security warning mechanism - feedback wanted!

Fri Feb 03, 2017 3:37 pm

Your code gets a segfault if /var/lib/chksshpwd doesn't exist. So you may want to test existence and create that directory.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 379
Joined: Fri Dec 26, 2014 11:02 am

Re: New SSH security warning mechanism - feedback wanted!

Fri Feb 03, 2017 5:12 pm

dasmanul wrote:Somehow I managed to overlook this thread until yesterday.

I'm by no means an "expert in authentication, PAMs or security", but being one of the people who initially voiced concern with the previous approach, I'll give this a look-over. At first glance, it definitely looks like a vast improvement, thanks for taking the time to address this!

One thing that immediately strikes me as odd is that you handle most things by system() or popen() calls to external binaries instead of calling the relevant library functions directly. Is there a particular reason for that? I'm not sure it's much of a disadvantage security-wise, but it just might be a bit more prone to external tinkering.
Thank you for the feedback!

I'm not aware of any C library functions which I can use to do a grep on a file; the only way I am aware of to do those is to load the file with a file pointer and either parse it manually or use the regex library on it - either way, it's going to be a lot more code written with the attendant risk of introducing bugs. (If there is an easy way of doing a grep natively from within C that I'm missing, do please let me know!)

A system call to GNU grep is much easier to write, and while it will have a small performance overhead compared to native code, this routine still runs in well under a second in the worst case.

I don't think the use of system calls introduces a significant security risk - this code doesn't do any actual authentication; all it does is to generate a warning message. I guess someone could hack grep to cause it to fail when it should pass, which would then mean the warning wasn't generated, but that's not the end of the world.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 379
Joined: Fri Dec 26, 2014 11:02 am

Re: New SSH security warning mechanism - feedback wanted!

Fri Feb 03, 2017 5:13 pm

DougieLawson wrote:Your code gets a segfault if /var/lib/chksshpwd doesn't exist. So you may want to test existence and create that directory.
Ah - thought I'd remembered to check for that, but I clearly haven't! I'll fix that - thanks.

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New SSH security warning mechanism - feedback wanted!

Fri Feb 03, 2017 5:22 pm

Not much time, so just a short remark:
spl23 wrote:I guess someone could hack grep to cause it to fail when it should pass, which would then mean the warning wasn't generated, but that's not the end of the world.
If someone can indeed hack grep, they could probably hack it do pretty much anything - with root privileges, if it gets called from your script.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 379
Joined: Fri Dec 26, 2014 11:02 am

Re: New SSH security warning mechanism - feedback wanted!

Fri Feb 03, 2017 7:06 pm

dasmanul wrote:Not much time, so just a short remark:
spl23 wrote:I guess someone could hack grep to cause it to fail when it should pass, which would then mean the warning wasn't generated, but that's not the end of the world.
If someone can indeed hack grep, they could probably hack it do pretty much anything - with root privileges, if it gets called from your script.
As above - are you aware of a library call or similar that could replace a system call for a file grep?

To be fair, while someone could indeed replace grep with a hacked version that does bad things, there are other programs that get called from PAM modules that they could do the same thing to. There's a password authentication helper program (unix_chkpwd) called whenever a password is authenticated that isn't part of the module itself - they could do all sorts of harm by replacing that with a hacked version. Come to that, they could trivially replace the module itself, or any other PAM module. You'd need root access to do any of those, including replacing grep.

Oh, and if someone did hack grep, we'd be in trouble anyway, as it is used extensively by raspi-config, which only ever runs with root privileges...

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New SSH security warning mechanism - feedback wanted!

Sat Feb 04, 2017 9:51 am

No, I'm not aware of a library call that easily replaces grep. I'm also not saying your approach is less secure than using library calls, just that I'm not sure about the implications and that it feels a bit odd to me. I think it's fairly safe to assume that if someone could indeed fiddle with the grep binary, they could fiddle with your pam module just as easily, so my guess is it's no problem.

I would consider replacing the one call to system() that checks for the existence of the file and removes it if it exists by calls to stat and unlink. This would avoid spawning a shell process and also allow for more checks on the file (is it owned by root, is its length actually zero?) via the stat call before removing it. I tend to be a bit paranoid in these things. ;-)

Apart from that, the approach looks fine to me. Although I need to repeat I'm not an expert, so take this cum grano salis.

User avatar
DougieLawson
Posts: 37095
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: New SSH security warning mechanism - feedback wanted!

Sat Feb 04, 2017 12:12 pm

I'm surprised at using shell scripts in a C program, tis ugly in the extreme. Delete files with unlink(), delete directories with rmdir(), check existence with stat(), create directories with mkdir()

https://linux.die.net/man/3/unlink
https://linux.die.net/man/3/rmdir
https://linux.die.net/man/3/stat
https://linux.die.net/man/3/mkdir
dasmanul wrote:No, I'm not aware of a library call that easily replaces grep.
There's is a library function for regex
https://linux.die.net/man/3/regexec

pgrep done in C with regexec()

Code: Select all

#include <regex.h>
#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main(int *argc, char *argv[])
{
    int rc1, rc2;
    regex_t number;
    regex_t name;
    regmatch_t m[1];
    regcomp(&number, "[0-9]+", REG_EXTENDED);
    regcomp(&name,"/usr/sbin/sshd.*", REG_EXTENDED);
    chdir("/proc");
    DIR* proc = opendir("/proc");
    struct dirent *dp;
    while(dp = readdir(proc))
    {
         rc1 = regexec(&number, dp->d_name, 1, m, 0);
         if(!rc1)
         {
              chdir(dp->d_name);
              char buf[4096];
              int fd = open("cmdline", O_RDONLY);
              buf[read(fd, buf, (sizeof buf)-1)] = '\0';
              if(regexec(&name, buf, 1, m, 0)==0)
                    printf("process found: %s\n", buf);
              close(fd);
              chdir("..");
         }
    }
    closedir(proc);
    return 0;
}
Get the pi user's shadow entry

Code: Select all

#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#include <shadow.h>

int main(int argc, char* argv[])
{
    struct spwd* sp;
    char  buf[80] = "pi";
    setpwent( );
    if((sp = getspnam(buf)) != (struct spwd * ) 0 ) {
        printf("Valid login name is: %s\n", sp->sp_namp);
        printf("Shadow ent is: %s\n", sp->sp_pwdp);
    }
    else printf("pi userid not found\n");
    endspent();
    return 0;
}
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: New SSH security warning mechanism - feedback wanted!

Sat Feb 04, 2017 3:13 pm

Dougie, I agree with you. But it is a style question and the regs/mods/implementors/whatevers just don't see it the way we do.
If this post appears in the wrong forums category, my apologies.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 379
Joined: Fri Dec 26, 2014 11:02 am

Re: New SSH security warning mechanism - feedback wanted!

Tue Feb 14, 2017 3:00 pm

DougieLawson wrote:I'm surprised at using shell scripts in a C program, tis ugly in the extreme. Delete files with unlink(), delete directories with rmdir(), check existence with stat(), create directories with mkdir()

https://linux.die.net/man/3/unlink
https://linux.die.net/man/3/rmdir
https://linux.die.net/man/3/stat
https://linux.die.net/man/3/mkdir
dasmanul wrote:No, I'm not aware of a library call that easily replaces grep.
There's is a library function for regex
https://linux.die.net/man/3/regexec

pgrep done in C with regexec()

Code: Select all

#include <regex.h>
#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main(int *argc, char *argv[])
{
    int rc1, rc2;
    regex_t number;
    regex_t name;
    regmatch_t m[1];
    regcomp(&number, "[0-9]+", REG_EXTENDED);
    regcomp(&name,"/usr/sbin/sshd.*", REG_EXTENDED);
    chdir("/proc");
    DIR* proc = opendir("/proc");
    struct dirent *dp;
    while(dp = readdir(proc))
    {
         rc1 = regexec(&number, dp->d_name, 1, m, 0);
         if(!rc1)
         {
              chdir(dp->d_name);
              char buf[4096];
              int fd = open("cmdline", O_RDONLY);
              buf[read(fd, buf, (sizeof buf)-1)] = '\0';
              if(regexec(&name, buf, 1, m, 0)==0)
                    printf("process found: %s\n", buf);
              close(fd);
              chdir("..");
         }
    }
    closedir(proc);
    return 0;
}
Get the pi user's shadow entry

Code: Select all

#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#include <shadow.h>

int main(int argc, char* argv[])
{
    struct spwd* sp;
    char  buf[80] = "pi";
    setpwent( );
    if((sp = getspnam(buf)) != (struct spwd * ) 0 ) {
        printf("Valid login name is: %s\n", sp->sp_namp);
        printf("Shadow ent is: %s\n", sp->sp_pwdp);
    }
    else printf("pi userid not found\n");
    endspent();
    return 0;
}

Thank you - that's very helpful. I'd not been aware of the functions in shadow.h or pwd.h - now I am aware of them, I'm happy to use them!

kingosticks
Posts: 20
Joined: Mon Jun 24, 2013 9:25 am

Re: New SSH security warning mechanism - feedback wanted!

Fri Mar 17, 2017 7:13 pm

Is the code available on github or similar? Is there any chance of making the password to check for customisable so we can use it on spin-off distributions that have a different default password?

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 379
Joined: Fri Dec 26, 2014 11:02 am

Re: New SSH security warning mechanism - feedback wanted!

Sat Mar 18, 2017 7:14 pm

kingosticks wrote:Is the code available on github or similar? Is there any chance of making the password to check for customisable so we can use it on spin-off distributions that have a different default password?
It's here - https://github.com/raspberrypi-ui/pam

I'm not proposing to make any further changes to this unless I see a bug report (which I haven't as yet...) but if you want to customise it for use in your own distros, be my guest!

The specific code is in modules/pam_chksshpwd/pam_chksshpwd.c

User avatar
DougieLawson
Posts: 37095
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: New SSH security warning mechanism - feedback wanted!

Sat Mar 18, 2017 10:24 pm

spl23 wrote: It's here - https://github.com/raspberrypi-ui/pam
Whoops! 404'd
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 379
Joined: Fri Dec 26, 2014 11:02 am

Re: New SSH security warning mechanism - feedback wanted!

Mon Mar 20, 2017 6:36 pm

Sorry - repo was still private. Now fixed.

SeaofThought
Posts: 4
Joined: Fri Jan 20, 2017 3:03 pm

Re: New SSH security warning mechanism - feedback wanted!

Sat Mar 25, 2017 3:05 am

Hi, I did an

Code: Select all

apt-get upgrade
today and I got this message:

Code: Select all

Installing new version of config file /etc/profile.d/sshpwd.sh ...
mkdir: cannot create directory ‘/var/lib/chksshpwd/’: File exists
dpkg: error processing package libpam-chksshpwd:armhf (--configure):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for libc-bin (2.19-18+deb8u7) ...
Errors were encountered while processing:
 libpam-chksshpwd:armhf
E: Sub-process /usr/bin/dpkg returned an error code (1)
Doing

Code: Select all

sudo apt-get -f install 
results in:

Code: Select all

Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up libpam-chksshpwd:armhf (1.1.8-3.1+deb8u2+rpi2) ...
mkdir: cannot create directory ‘/var/lib/chksshpwd/’: File exists
dpkg: error processing package libpam-chksshpwd:armhf (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 libpam-chksshpwd:armhf
E: Sub-process /usr/bin/dpkg returned an error code (1)
I'm not sure if this is relevant but I use passwords and certificates to log in through ssh. Some of the machines are trusted by the use of the

Code: Select all

ssh-copy-id
command.

I hope this may be helpful.

Namtar
Posts: 1
Joined: Sat Mar 25, 2017 11:32 am

Re: New SSH security warning mechanism - feedback wanted!

Sat Mar 25, 2017 11:38 am

SeaofThought wrote:

Code: Select all

Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up libpam-chksshpwd:armhf (1.1.8-3.1+deb8u2+rpi2) ...
mkdir: cannot create directory ‘/var/lib/chksshpwd/’: File exists
dpkg: error processing package libpam-chksshpwd:armhf (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 libpam-chksshpwd:armhf
E: Sub-process /usr/bin/dpkg returned an error code (1)
Hi, i had the same issue this morning.

the error is

Code: Select all

mkdir: cannot create directory ‘/var/lib/chksshpwd/’: File exists
so i did this: i deleted the package, deleted the directory (in my case it was empty) and reinstalled the package.

Code: Select all

sudo apt-get remove libpam-chksshpwd
cd /var/lib
sudo rmdir chksshpwd/
sudo apt-get install libpam-chksshpwd
hope it helps

evangelyul1
Posts: 6
Joined: Sat Mar 25, 2017 12:37 pm
Location: Athens, Greeece

Re: New SSH security warning mechanism - feedback wanted!

Sat Mar 25, 2017 12:43 pm

had the same problem
erased the /var/lib/chksshpwd folder and run upgrade again and it worked !
(used sudo and midnight commander (mc) to do it)
HTH
RPi 3 B owner / user

molrob
Posts: 1
Joined: Sat Mar 25, 2017 1:09 pm

Re: New SSH security warning mechanism - feedback wanted!

Sat Mar 25, 2017 1:27 pm

Namtar wrote:
SeaofThought wrote:

Code: Select all

Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up libpam-chksshpwd:armhf (1.1.8-3.1+deb8u2+rpi2) ...
mkdir: cannot create directory ‘/var/lib/chksshpwd/’: File exists
dpkg: error processing package libpam-chksshpwd:armhf (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 libpam-chksshpwd:armhf
E: Sub-process /usr/bin/dpkg returned an error code (1)
Hi, i had the same issue this morning.

the error is

Code: Select all

mkdir: cannot create directory ‘/var/lib/chksshpwd/’: File exists
so i did this: i deleted the package, deleted the directory (in my case it was empty) and reinstalled the package.

Code: Select all

sudo apt-get remove libpam-chksshpwd
cd /var/lib
sudo rmdir chksshpwd/
sudo apt-get install libpam-chksshpwd
hope it helps
And install pprompt also, because that removed with libpam-chksshpwd!

SteveJ
Posts: 7
Joined: Sun Mar 19, 2017 4:13 pm

Re: New SSH security warning mechanism - feedback wanted!

Sat Mar 25, 2017 3:35 pm

Same issue. Removed empty /var/lib/chksshpwd directory and re-ran upgrade:
[email protected]:~ $ sudo rm -rf /var/lib/chksshpwd/
[email protected]:~ $ sudo apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up libpam-chksshpwd:armhf (1.1.8-3.1+deb8u2+rpi2) ...
Like a previous poster, I also use a cert to sign in, set up via ssh-copy-id.

Chrysochlorousian
Posts: 1
Joined: Sat Mar 25, 2017 4:54 pm

Re: New SSH security warning mechanism - feedback wanted!

Sat Mar 25, 2017 4:58 pm

evangelyul1 wrote:had the same problem
erased the /var/lib/chksshpwd folder and run upgrade again and it worked !
(used sudo and midnight commander (mc) to do it)
HTH
This fix also worked for me. Thank you!

Return to “Raspbian”