LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Openssh + PAM + LDAP fails only with LDAP users (http://www.linuxquestions.org/questions/linux-newbie-8/openssh-pam-ldap-fails-only-with-ldap-users-799135/)

asimula 03-31-2010 10:43 AM

Openssh + PAM + LDAP fails only with LDAP users
 
I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam

It works perfect without pam (pam-0.77-66), both with password and public key auth.

Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens:

system users: I can do ssh with both password and public key

LDAP users: public key works for remote users, still I cannot do ssh with just password.

I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.

My pam SSHD configuration is:

#%PAM-1.0

auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account sufficient pam_unix.so
account sufficient pam_ldap.so use_first_pass
account required pam_deny.so

password required pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_ldap.so
password required pam_deny.so

session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so

My LDAP users are ok: i can do "su - " remote LDAP (so that nss_ldap is OK), also getent passwd and getent group is ok.

Any help is welcome

Thanks

Alex

grail 04-01-2010 01:09 AM

Alex

I am a little confused (read - a lot confused really), your title says:

Quote:

Openssh + PAM + LDAP fails only with LDAP users
And then at the end you say:

Quote:

My LDAP users are ok
So which is it? They fail or they work / ok?

Also, you do not seem to indicate what error message(s) you are receiving?

asimula 04-01-2010 08:10 AM

Quote:

Originally Posted by grail (Post 3919965)
Alex

I am a little confused (read - a lot confused really), your title says:



And then at the end you say:



So which is it? They fail or they work / ok?

Also, you do not seem to indicate what error message(s) you are receiving?


My LDAP users are correctly estracted by nss_ldap using commands like: getent passwd

ES:

getent passwd alex
alex:x:1009:10014:System User:/var/spool/DOMAIN/MY/home/alex:/bin/bash

$ getent shadow alex
alex:*:::::::0

And I'm able to "su - " to any LDAP user

# su - alex
$ id
uid=1009(alex) gid=10014(Domain Users) groups=10002(Administrators),10004(Domain Admins),10014(Domain Users)

And, I'm able to do ssh witch this same user (alex) with public key.

But any attempt to connect by ssh without public key fail

ssh alex@10.6.6.37
Password:
Connection closed by 10.6.6.37

Password is ok (again, I checked it with Apache Directory Studio)

My messages:

Apr 1 14:03:09 my sshd[30821]: Connection from x.x.x.x port 34053
Apr 1 14:03:09 my sshd[30821]: Failed none for alex from x.x.x.x port 34053 ssh2
Apr 1 14:03:11 my sshd(pam_unix)[30823]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=alex

SO, I think the problem is PAM SSH...


All times are GMT -5. The time now is 03:16 PM.