LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 03-31-2010, 09:43 AM   #1
asimula
LQ Newbie
 
Registered: Mar 2010
Distribution: Mandriva 2008.1, RHEL ES, Slackware
Posts: 2

Rep: Reputation: 0
Openssh + PAM + LDAP fails only with LDAP users


I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam

It works perfect without pam (pam-0.77-66), both with password and public key auth.

Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens:

system users: I can do ssh with both password and public key

LDAP users: public key works for remote users, still I cannot do ssh with just password.

I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.

My pam SSHD configuration is:

#%PAM-1.0

auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account sufficient pam_unix.so
account sufficient pam_ldap.so use_first_pass
account required pam_deny.so

password required pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_ldap.so
password required pam_deny.so

session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so

My LDAP users are ok: i can do "su - " remote LDAP (so that nss_ldap is OK), also getent passwd and getent group is ok.

Any help is welcome

Thanks

Alex
 
Old 04-01-2010, 12:09 AM   #2
grail
Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 7,485

Rep: Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890Reputation: 1890
Alex

I am a little confused (read - a lot confused really), your title says:

Quote:
Openssh + PAM + LDAP fails only with LDAP users
And then at the end you say:

Quote:
My LDAP users are ok
So which is it? They fail or they work / ok?

Also, you do not seem to indicate what error message(s) you are receiving?

Last edited by grail; 04-01-2010 at 12:10 AM.
 
Old 04-01-2010, 07:10 AM   #3
asimula
LQ Newbie
 
Registered: Mar 2010
Distribution: Mandriva 2008.1, RHEL ES, Slackware
Posts: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by grail View Post
Alex

I am a little confused (read - a lot confused really), your title says:



And then at the end you say:



So which is it? They fail or they work / ok?

Also, you do not seem to indicate what error message(s) you are receiving?

My LDAP users are correctly estracted by nss_ldap using commands like: getent passwd

ES:

getent passwd alex
alex:x:1009:10014:System User:/var/spool/DOMAIN/MY/home/alex:/bin/bash

$ getent shadow alex
alex:*:::::::0

And I'm able to "su - " to any LDAP user

# su - alex
$ id
uid=1009(alex) gid=10014(Domain Users) groups=10002(Administrators),10004(Domain Admins),10014(Domain Users)

And, I'm able to do ssh witch this same user (alex) with public key.

But any attempt to connect by ssh without public key fail

ssh alex@10.6.6.37
Password:
Connection closed by 10.6.6.37

Password is ok (again, I checked it with Apache Directory Studio)

My messages:

Apr 1 14:03:09 my sshd[30821]: Connection from x.x.x.x port 34053
Apr 1 14:03:09 my sshd[30821]: Failed none for alex from x.x.x.x port 34053 ssh2
Apr 1 14:03:11 my sshd(pam_unix)[30823]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=alex

SO, I think the problem is PAM SSH...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP in Slackware - do I need PAM to allow users to change passwords? cotton213 Slackware 5 12-02-2010 04:17 PM
PAM or ldap, which will be best for my needs? DaijoubuKun Linux - Security 4 11-22-2009 03:23 PM
pam ldap authentication brandon@rhiamet.com Linux - Security 2 01-22-2009 07:58 AM
Vpopmail ldap to samba ldap users luquee Linux - Software 1 07-23-2008 11:38 AM
Pam ldap sci3ntist Linux - Software 1 01-28-2008 07:46 AM


All times are GMT -5. The time now is 12:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration