OpenSSH + PAM + LDAP: Not authenticating

From: Adam (adamtheo_at_new.theoretic.com)
Date: 01/02/04

  • Next message: Eloi Granado: "Re: "Corrupted MAC on input""
    Date: Fri, 2 Jan 2004 08:12:33 +0000
    To: secureshell@securityfocus.com
    
    

    I have OpenSSH 3.7.1p2, OpenLDAP 2.1.23, pam_ldap 161, nss_ldap 211. I have slapd
    connecting to tcp/389 accepting both unencrypted and StartTLS connections. I believe I
    have set up PAM correctly, since I can use the command 'getent passwd' and see a list of
    all user accounts, both in the /etc/passwd file and in the LDAP directory. However, when I
    try to log into the server using one of these LDAP entries over SSH, I am denied.

    Here is my /etc/nsswitch.conf file:

    passwd: files ldap
    shadow: files ldap
    group: files ldap

    Here is my /etc/pam.d/ssh file:

    auth required /lib/security/pam_nologin.so
    auth sufficient /lib/security/pam_ldap.so
    auth required /lib/security/pam_unix.so shadow nullok use_first_pass
    account sufficient /lib/security/pam_ldap.so
    account required /lib/security/pam_unix.so
    password required /lib/security/pam_cracklib.so
    password required /lib/security/pam_unix.so nullok use_authtok shadow
    session required /lib/security/pam_unix.so
    session optional /lib/security/pam_console.so

    Here is my /etc/ssh/sshd_config file (only changes from default shown):

    UsePAM yes
    Subsystem sftp /usr/lib/misc/sftp-server

    And finally here is the debug from 'sshd':

    debug2: read_server_config: filename /etc/ssh/sshd_config
    debug1: sshd version OpenSSH_3.7.1p2
    debug1: private host key: #0 type 0 RSA1
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    debug1: read PEM private key done: type RSA
    debug1: private host key: #1 type 1 RSA
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
    debug1: read PEM private key done: type DSA
    debug1: private host key: #2 type 2 DSA
    debug1: Bind to port 22 on ::.
    Server listening on :: port 22.
    debug1: Bind to port 22 on 0.0.0.0.
    Bind to port 22 on 0.0.0.0 failed: Address already in use.
    Generating 768 bit RSA key.
    RSA key generation complete.

    debug1: Server will not fork when running in debugging mode.
    Connection from ::ffff:68.240.74.150 port 52410
    debug1: Client protocol version 1.5; client software version pilotSSH-1.0
    debug1: no match: pilotSSH-1.0
    debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2
    debug3: privsep user:group 22:22
    debug1: permanently_set_uid: 22/22
    debug2: Network child is on pid 2871
    debug3: preauth child monitor started
    debug3: mm_request_receive entering
    debug1: Sent 768 bit server key and 1024 bit host key.
    debug1: Encryption type: 3des
    debug3: mm_request_send entering: type 28
    debug3: mm_request_receive_expect entering: type 29
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 28
    debug3: mm_request_send entering: type 29
    debug3: mm_ssh1_session_id entering
    debug3: mm_request_send entering: type 30
    debug2: cipher_init: set keylen (16 -> 32)
    debug2: cipher_init: set keylen (16 -> 32)
    debug1: Received session key; encryption turned on.
    debug2: monitor_read: 28 used once, disabling now
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 30
    debug3: mm_answer_sessid entering
    debug2: monitor_read: 30 used once, disabling now
    debug3: mm_request_receive entering
    debug1: Installing crc compensation attack detector.
    debug3: mm_getpwnamallow entering
    debug3: mm_request_send entering: type 6
    debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
    debug3: mm_request_receive_expect entering: type 7
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 6
    debug3: mm_answer_pwnamallow
    debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
    debug3: mm_request_send entering: type 7
    debug3: mm_start_pam entering
    debug3: mm_request_send entering: type 43
    debug1: Attempting authentication for adamtheo.
    debug3: mm_auth_password entering
    debug3: mm_request_send entering: type 10
    debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
    debug3: mm_request_receive_expect entering: type 11
    debug3: mm_request_receive entering
    debug2: monitor_read: 6 used once, disabling now
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 43
    debug1: PAM: initializing for "adamtheo"
    debug3: Trying to reverse map address 68.240.74.150.
    debug1: PAM: setting PAM_RHOST to "014-230-239.area5.spcsdns.net"
    debug1: PAM: setting PAM_TTY to "ssh"
    debug2: monitor_read: 43 used once, disabling now
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 10
    debug3: mm_answer_authpassword: sending result 0
    debug3: mm_request_send entering: type 11
    debug3: mm_auth_password: user not authenticated
    Failed none for adamtheo from ::ffff:68.240.74.150 port 52410
    debug3: mm_request_receive entering
    debug3: mm_auth_password entering
    debug3: mm_request_send entering: type 10
    debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
    debug3: mm_request_receive_expect entering: type 11
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 10
    debug3: mm_answer_authpassword: sending result 0
    debug3: mm_request_send entering: type 11
    debug3: mm_auth_password: user not authenticated
    Failed password for adamtheo from ::ffff:68.240.74.150 port 52410
    Failed password for adamtheo from ::ffff:68.240.74.150 port 52410
    debug3: mm_request_receive entering
    Received disconnect from ::ffff:68.240.74.150: User closed connection
    debug1: Calling cleanup 0x8073260(0x0)
    debug1: Calling cleanup 0x8065be0(0x0)
    debug1: PAM: cleanup


  • Next message: Eloi Granado: "Re: "Corrupted MAC on input""

    Relevant Pages

    • Re: ssh/sshd cores dump
      ... debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 ... debug2: fd 3 setting O_NONBLOCK ... debug3: preauth child monitor started ... debug3: mm_request_receive entering ...
      (freebsd-questions)
    • Re: Confounded by PAM and OpenSSH on Solaris 10
      ... If anyone can help me understand OpenSSH and PAM and the various ... debug1: read PEM private key done: type RSA ... debug3: Trying to reverse map address 127.0.0.1. ... debug3: PAM: sshpam_query entering ...
      (comp.security.ssh)
    • Unable to get shell prompt after logon
      ... debug1: Reading configuration data /etc/ssh/ssh_config ... debug1: Entering interactive session. ... debug2: Network child is on pid 950 ... debug3: preauth child monitor started ...
      (SSH)
    • HostbasedAuthentication, followed snailbook but not working! :-(
      ... debug1: read PEM private key done: type RSA ... debug2: kex_parse_kexinit: ... debug3: preauth child monitor started ... debug3: mm_request_send entering: type 0 ...
      (comp.security.ssh)
    • Re: openssh 3.4p1
      ... debug1: read PEM private key done: type RSA ... debug3: preauth child monitor started ... debug3: mm_request_receive entering ... debug2: kex_parse_kexinit: ...
      (comp.security.ssh)