Re: openssh authentication via openldap

To: debian-user@lists.debian.org
Subject: Re: openssh authentication via openldap
From: Nic <nferrier@tapsellferrier.co.uk>
Date: Mon, 27 Feb 2006 20:32:38 +0000
Message-id: <[🔎] 87mzgc7dax.fsf@tapsellferrier.co.uk>
References: <[🔎] 4402FB47.7070106@fire.hoosac.com>

darwin <darwin@fire.hoosac.com> writes:

> All,
> I just set up three of my debian sarge boxes to authenticate against
> an openldap server. I'm using PAM and everything works as expected
> except for ssh on one host. When I try to ssh to the box as an ldap
> user  I immediately get kicked out. From this box I can successfully
> grab getent ldap info and also su to ldap users. I'm not quite sure
> what's going on here. Why would every service work except for ssh ?
> I've pasted some logs below and some /etc/pam.d files but everything
> *seems* in order. Any help would be appreciated.
>
> /var/log/auth.log
> Feb 27 04:44:37 web2 sshd[26645]: Illegal user foo from ::ffff:172.16.0.1
> Feb 27 04:44:39 web2 sshd[26645]: (pam_unix) check pass; user unknown
> Feb 27 04:44:39 web2 sshd[26645]: (pam_unix) authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=asdf
> Feb 27 04:44:39 web2 sshd[26645]: pam_ldap: error trying to bind as
> user "uid=foo,cn=users,dc=domain,dc=tld" (Invalid credentials) <---
> The password is correct :)
> Feb 27 04:44:40 web2 sshd[26645]: error: PAM: Authentication failure
> for illegal user foo from asdf
> Feb 27 04:44:40 web2 sshd[26645]: Failed keyboard-interactive/pam for
> illegal user foo from ::ffff:172.16.0.1 port 58015 ssh2
>
> /etc/pam.d
> ::::::::::::::
> ssh
> ::::::::::::::
> auth       required     pam_nologin.so
> auth       required     pam_env.so # [1]
> @include common-auth
> @include common-account
> @include common-session
> session    optional     pam_motd.so # [1]
> session    optional     pam_mail.so standard noenv # [1]
> session    required     pam_limits.so
> @include common-password
> ::::::::::::::
> common-account
> ::::::::::::::
> account     required      pam_unix.so
> account     sufficient     pam_ldap.so
> ::::::::::::::
> common-auth
> ::::::::::::::
> auth        required      pam_env.so
> auth        sufficient     pam_unix.so likeauth nullok
> auth        sufficient     pam_ldap.so use_first_pass
> auth        required     pam_deny.so
> session     required   pam_mkhomedir.so skel=/etc/skel umask=0027
> ::::::::::::::
> common-password
> ::::::::::::::
> password    required      pam_cracklib.so retry=3 type=
> password    sufficient     pam_unix.so nullok use_authtok md5 shadow
> password    sufficient     pam_ldap.so use_authtok
> password    required     pam_deny.so
> ::::::::::::::
> common-session
> ::::::::::::::
> session     required      pam_limits.so
> session     required      pam_unix.so
> session     optional      pam_ldap.so


I once had a problem with ssh/ldap... it turned out I had forgotten to
restart the ssh daemon after changing pam.

I know it's simple... but I forgot to do it. Maybe you did too?


Nic

Reply to:

References:
- openssh authentication via openldap
  - From: darwin <darwin@fire.hoosac.com>

Prev by Date: Re: No xterm window by default?
Next by Date: Re: Re: Controlling eth0,eth1,... assignment order?
Previous by thread: openssh authentication via openldap
Next by thread: Re: *****SPAM***** Re: Why do I bother?
Index(es):
- Date
- Thread