[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

openssh authentication via openldap

All,
I just set up three of my debian sarge boxes to authenticate against an openldap server. I'm using PAM and everything works as expected except for ssh on one host. When I try to ssh to the box as an ldap user I immediately get kicked out. From this box I can successfully grab getent ldap info and also su to ldap users. I'm not quite sure what's going on here. Why would every service work except for ssh ? I've pasted some logs below and some /etc/pam.d files but everything *seems* in order. Any help would be appreciated. 

/var/log/auth.log
Feb 27 04:44:37 web2 sshd[26645]: Illegal user foo from ::ffff:172.16.0.1
Feb 27 04:44:39 web2 sshd[26645]: (pam_unix) check pass; user unknown
Feb 27 04:44:39 web2 sshd[26645]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=asdf Feb 27 04:44:39 web2 sshd[26645]: pam_ldap: error trying to bind as user "uid=foo,cn=users,dc=domain,dc=tld" (Invalid credentials) <--- The password is correct :) Feb 27 04:44:40 web2 sshd[26645]: error: PAM: Authentication failure for illegal user foo from asdf Feb 27 04:44:40 web2 sshd[26645]: Failed keyboard-interactive/pam for illegal user foo from ::ffff:172.16.0.1 port 58015 ssh2 

/etc/pam.d
::::::::::::::
ssh
::::::::::::::
auth       required     pam_nologin.so
auth       required     pam_env.so # [1]
@include common-auth
@include common-account
@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
@include common-password
::::::::::::::
common-account
::::::::::::::
account     required      pam_unix.so
account     sufficient     pam_ldap.so
::::::::::::::
common-auth
::::::::::::::
auth        required      pam_env.so
auth        sufficient     pam_unix.so likeauth nullok
auth        sufficient     pam_ldap.so use_first_pass
auth        required     pam_deny.so
session     required   pam_mkhomedir.so skel=/etc/skel umask=0027
::::::::::::::
common-password
::::::::::::::
password    required      pam_cracklib.so retry=3 type=
password    sufficient     pam_unix.so nullok use_authtok md5 shadow
password    sufficient     pam_ldap.so use_authtok
password    required     pam_deny.so
::::::::::::::
common-session
::::::::::::::
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so
Reply to: