OpenSSH + PAM + LDAP: Not authenticating
From: Adam (adamtheo_at_new.theoretic.com)
Date: 01/02/04
- Previous message: Rahul S: "openssh.com's public key"
- Next in thread: Adam Theo: "Re: OpenSSH + PAM + LDAP: Not authenticating"
- Maybe reply: Adam Theo: "Re: OpenSSH + PAM + LDAP: Not authenticating"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 2 Jan 2004 08:12:33 +0000 To: secureshell@securityfocus.com
I have OpenSSH 3.7.1p2, OpenLDAP 2.1.23, pam_ldap 161, nss_ldap 211. I have slapd
connecting to tcp/389 accepting both unencrypted and StartTLS connections. I believe I
have set up PAM correctly, since I can use the command 'getent passwd' and see a list of
all user accounts, both in the /etc/passwd file and in the LDAP directory. However, when I
try to log into the server using one of these LDAP entries over SSH, I am denied.
Here is my /etc/nsswitch.conf file:
passwd: files ldap
shadow: files ldap
group: files ldap
Here is my /etc/pam.d/ssh file:
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix.so shadow nullok use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix.so nullok use_authtok shadow
session required /lib/security/pam_unix.so
session optional /lib/security/pam_console.so
Here is my /etc/ssh/sshd_config file (only changes from default shown):
UsePAM yes
Subsystem sftp /usr/lib/misc/sftp-server
And finally here is the debug from 'sshd':
debug2: read_server_config: filename /etc/ssh/sshd_config
debug1: sshd version OpenSSH_3.7.1p2
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from ::ffff:68.240.74.150 port 52410
debug1: Client protocol version 1.5; client software version pilotSSH-1.0
debug1: no match: pilotSSH-1.0
debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2
debug3: privsep user:group 22:22
debug1: permanently_set_uid: 22/22
debug2: Network child is on pid 2871
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: 3des
debug3: mm_request_send entering: type 28
debug3: mm_request_receive_expect entering: type 29
debug3: mm_request_receive entering
debug3: monitor_read: checking request 28
debug3: mm_request_send entering: type 29
debug3: mm_ssh1_session_id entering
debug3: mm_request_send entering: type 30
debug2: cipher_init: set keylen (16 -> 32)
debug2: cipher_init: set keylen (16 -> 32)
debug1: Received session key; encryption turned on.
debug2: monitor_read: 28 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 30
debug3: mm_answer_sessid entering
debug2: monitor_read: 30 used once, disabling now
debug3: mm_request_receive entering
debug1: Installing crc compensation attack detector.
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 43
debug1: Attempting authentication for adamtheo.
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 43
debug1: PAM: initializing for "adamtheo"
debug3: Trying to reverse map address 68.240.74.150.
debug1: PAM: setting PAM_RHOST to "014-230-239.area5.spcsdns.net"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 43 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for adamtheo from ::ffff:68.240.74.150 port 52410
debug3: mm_request_receive entering
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed password for adamtheo from ::ffff:68.240.74.150 port 52410
Failed password for adamtheo from ::ffff:68.240.74.150 port 52410
debug3: mm_request_receive entering
Received disconnect from ::ffff:68.240.74.150: User closed connection
debug1: Calling cleanup 0x8073260(0x0)
debug1: Calling cleanup 0x8065be0(0x0)
debug1: PAM: cleanup
- Previous message: Rahul S: "openssh.com's public key"
- Next in thread: Adam Theo: "Re: OpenSSH + PAM + LDAP: Not authenticating"
- Maybe reply: Adam Theo: "Re: OpenSSH + PAM + LDAP: Not authenticating"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
