OpenSSH and PAM LDAP
From: Ezsra McDonald (ezsra_mcdonald_at_yahoo.com)
Date: 02/16/04
- Previous message: Miller Alan: "AW: UsersDeny except root@myserver"
- Next in thread: Ezsra McDonald: "RE: OpenSSH and PAM LDAP"
- Maybe reply: Ezsra McDonald: "RE: OpenSSH and PAM LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 16 Feb 2004 11:28:12 -0800 (PST) To: secureshell@securityfocus.com
I have been trying to get this working for some time
now.
PROBLEM 1:
I can ssh in with a user who has a local account using
the LDAP password. I can not ssh login as an LDAP
user.
I can however telnet login as both local and ldap
users.
PROBLEM 2:
If LDAP is down local users cannot login telnet or
ssh. I need admin users to login if LDAP is down.
DETAILS:
The host in question is running solaris 8.
OpenSSH_3.7.1p2.
I removed the IPLANET ldap stuff and replaced it with
openldap-1.2.11 package from the solaris freesoftware
site.
I also installed pam_ldap-167.
I have ldap in the nsswitch.conf file.
My sshd_conf contains:
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
I have tried many different pam.conf configurations.
At the moment it is a mess and looks like this:
#ident "@(#)pam.conf 1.16 01/01/24 SMI"
#
# Copyright (c) 1996-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
# PAM configuration
#
# Authentication management
#
login auth required
/usr/lib/security/pam_ldap.so.1
login auth sufficient
/usr/lib/security/$ISA/pam_unix.so.1 use_first_pass
login auth required
/usr/lib/security/$ISA/pam_dial_auth.so.1
#
telnet auth sufficient
/usr/lib/security/pam_ldap.so.1
telnet auth required
/usr/lib/security/pam_unix.so.1 try_first_pass
#
#sshd auth requisite
/usr/lib/security/pam_authtok_get.so.1
#sshd auth required
/usr/lib/security/pam_dhkeys.so.1
sshd auth sufficient
/usr/lib/security/pam_ldap.so.1
sshd auth required
/usr/lib/security/pam_unix_auth.so.1 use_first_pass
#
rlogin auth sufficient
/usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin auth required
/usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin auth required
/usr/lib/security/$ISA/pam_unix.so.1
#
rsh auth required
/usr/lib/security/$ISA/pam_rhosts_auth.so.1
#
other auth sufficient
/usr/lib/security/pam_ldap.so.1
other auth required
/usr/lib/security/$ISA/pam_unix.so.1 use_first_pass
#
# Account management
#
#login account requisite
/usr/lib/security/$ISA/pam_roles.so.1
#login account required
/usr/lib/security/$ISA/pam_projects.so.1
login account sufficient
/usr/lib/security/pam_ldap.so.1
login account required
/usr/lib/security/$ISA/pam_unix.so.1
#
#telnet account requisite
/usr/lib/security/$ISA/pam_roles.so.1
#telnet account required
/usr/lib/security/$ISA/pam_projects.so.1
telnet account sufficient
/usr/lib/security/pam_ldap.so.1
telnet account required
/usr/lib/security/$ISA/pam_unix.so.1
#
#sshd account requisite
/usr/lib/security/$ISA/pam_roles.so.1
#sshd account required
/usr/lib/security/$ISA/pam_projects.so.1
#sshd account sufficient
/usr/lib/security/pam_ldap.so.1
#sshd account required
/usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin account requisite
/usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required
/usr/lib/security/$ISA/pam_projects.so.1
dtlogin account required
/usr/lib/security/$ISA/pam_unix.so.1
#
#other account requisite
/usr/lib/security/$ISA/pam_roles.so.1
#other account required
/usr/lib/security/$ISA/pam_projects.so.1
other account sufficient
/usr/lib/security/pam_ldap.so.1
other account required
/usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
other session required
/usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
other password sufficient
/usr/lib/security/pam_ldap.so.1
other password required
/usr/lib/security/$ISA/pam_unix.so.1
#
#telnet password sufficient
/usr/lib/security/pam_ldap.so.1
#telnet password required
/usr/lib/security/$ISA/pam_unix.so.1
#
#sshd password sufficient
/usr/lib/security/pam_ldap.so.1
#sshd password required
/usr/lib/security/$ISA/pam_unix.so.1
#
dtsession auth required
/usr/lib/security/$ISA/pam_unix.so.1
#
# Support for Kerberos V5 authentication (uncomment to
use Kerberos)
#
#rlogin auth optional
/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#login auth optional
/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin auth optional
/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#other auth optional
/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin account optional
/usr/lib/security/$ISA/pam_krb5.so.1
#other account optional
/usr/lib/security/$ISA/pam_krb5.so.1
#other session optional
/usr/lib/security/$ISA/pam_krb5.so.1
#other password optional
/usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#
# Support for Solaris PPP (sppp)
ppp auth required
/usr/lib/security/$ISA/pam_unix.so.1
ppp auth required
/usr/lib/security/$ISA/pam_dial_auth.so.1
ppp account requisite
/usr/lib/security/$ISA/pam_roles.so.1
ppp account required
/usr/lib/security/$ISA/pam_projects.so.1
ppp account required
/usr/lib/security/$ISA/pam_unix.so.1
ppp session required /usr/lib/security/$ISA/pam_unix.so.1
__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html
- Previous message: Miller Alan: "AW: UsersDeny except root@myserver"
- Next in thread: Ezsra McDonald: "RE: OpenSSH and PAM LDAP"
- Maybe reply: Ezsra McDonald: "RE: OpenSSH and PAM LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
