OpenSSH and PAM LDAP

From: Ezsra McDonald (ezsra_mcdonald_at_yahoo.com)
Date: 02/16/04

  • Next message: Payal Rathod: "some tunnelling help needed"
    Date: Mon, 16 Feb 2004 11:28:12 -0800 (PST)
    To: secureshell@securityfocus.com
    
    

    I have been trying to get this working for some time
    now.

    PROBLEM 1:
    I can ssh in with a user who has a local account using
    the LDAP password. I can not ssh login as an LDAP
    user.

    I can however telnet login as both local and ldap
    users.

    PROBLEM 2:
    If LDAP is down local users cannot login telnet or
    ssh. I need admin users to login if LDAP is down.

    DETAILS:
    The host in question is running solaris 8.

    OpenSSH_3.7.1p2.

    I removed the IPLANET ldap stuff and replaced it with
    openldap-1.2.11 package from the solaris freesoftware
    site.

    I also installed pam_ldap-167.

    I have ldap in the nsswitch.conf file.

    My sshd_conf contains:
       PasswordAuthentication no
       ChallengeResponseAuthentication yes
       UsePAM yes

    I have tried many different pam.conf configurations.
    At the moment it is a mess and looks like this:

    #ident "@(#)pam.conf 1.16 01/01/24 SMI"
    #
    # Copyright (c) 1996-2000 by Sun Microsystems, Inc.
    # All rights reserved.
    #
    # PAM configuration
    #
    # Authentication management
    #
    login auth required
    /usr/lib/security/pam_ldap.so.1
    login auth sufficient
    /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass
    login auth required
    /usr/lib/security/$ISA/pam_dial_auth.so.1
    #
    telnet auth sufficient
    /usr/lib/security/pam_ldap.so.1
    telnet auth required
    /usr/lib/security/pam_unix.so.1 try_first_pass
    #
    #sshd auth requisite
    /usr/lib/security/pam_authtok_get.so.1
    #sshd auth required
    /usr/lib/security/pam_dhkeys.so.1
    sshd auth sufficient
    /usr/lib/security/pam_ldap.so.1
    sshd auth required
    /usr/lib/security/pam_unix_auth.so.1 use_first_pass
    #
    rlogin auth sufficient
    /usr/lib/security/$ISA/pam_rhosts_auth.so.1
    rlogin auth required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    dtlogin auth required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    rsh auth required
    /usr/lib/security/$ISA/pam_rhosts_auth.so.1
    #
    other auth sufficient
    /usr/lib/security/pam_ldap.so.1
    other auth required
    /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass
    #
    # Account management
    #
    #login account requisite
    /usr/lib/security/$ISA/pam_roles.so.1
    #login account required
    /usr/lib/security/$ISA/pam_projects.so.1
    login account sufficient
    /usr/lib/security/pam_ldap.so.1
    login account required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    #telnet account requisite
    /usr/lib/security/$ISA/pam_roles.so.1
    #telnet account required
    /usr/lib/security/$ISA/pam_projects.so.1
    telnet account sufficient
    /usr/lib/security/pam_ldap.so.1
    telnet account required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    #sshd account requisite
    /usr/lib/security/$ISA/pam_roles.so.1
    #sshd account required
    /usr/lib/security/$ISA/pam_projects.so.1
    #sshd account sufficient
    /usr/lib/security/pam_ldap.so.1
    #sshd account required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    dtlogin account requisite
    /usr/lib/security/$ISA/pam_roles.so.1
    dtlogin account required
    /usr/lib/security/$ISA/pam_projects.so.1
    dtlogin account required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    #other account requisite
    /usr/lib/security/$ISA/pam_roles.so.1
    #other account required
    /usr/lib/security/$ISA/pam_projects.so.1
    other account sufficient
    /usr/lib/security/pam_ldap.so.1
    other account required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    # Session management
    #
    other session required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    # Password management
    #
    other password sufficient
    /usr/lib/security/pam_ldap.so.1
    other password required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    #telnet password sufficient
    /usr/lib/security/pam_ldap.so.1
    #telnet password required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    #sshd password sufficient
    /usr/lib/security/pam_ldap.so.1
    #sshd password required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    dtsession auth required
    /usr/lib/security/$ISA/pam_unix.so.1
    #
    # Support for Kerberos V5 authentication (uncomment to
    use Kerberos)
    #
    #rlogin auth optional
    /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    #login auth optional
    /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    #dtlogin auth optional
    /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    #other auth optional
    /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    #dtlogin account optional
    /usr/lib/security/$ISA/pam_krb5.so.1
    #other account optional
    /usr/lib/security/$ISA/pam_krb5.so.1
    #other session optional
    /usr/lib/security/$ISA/pam_krb5.so.1
    #other password optional
    /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    #
    # Support for Solaris PPP (sppp)
    ppp auth required
    /usr/lib/security/$ISA/pam_unix.so.1
    ppp auth required
    /usr/lib/security/$ISA/pam_dial_auth.so.1
    ppp account requisite
    /usr/lib/security/$ISA/pam_roles.so.1
    ppp account required
    /usr/lib/security/$ISA/pam_projects.so.1
    ppp account required
    /usr/lib/security/$ISA/pam_unix.so.1
    ppp session required /usr/lib/security/$ISA/pam_unix.so.1

    __________________________________
    Do you Yahoo!?
    Yahoo! Finance: Get your refund fast by filing online.
    http://taxes.yahoo.com/filing.html


  • Next message: Payal Rathod: "some tunnelling help needed"

    Relevant Pages

    • Weakness introduced by denying remote logins on AIX, possibly others
      ... AIX 4.3.3 and AIX 5.1, ... is possible to remotely enumerate the passwords of a known AIX account. ... believed to be in the response from the login program after authentication ... Give accounts that have been restricted from remote logins strong passwords. ...
      (Security-Basics)
    • Re: Please! Doesnt anyone know a better way to do this?
      ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: AD Security Groups break Authentication
      ... I can do a domain login using my own account & a couple others, but one specific account can't login. ... My ping testing showed that 1430 was the highest MTU setting that wouldn't result in fragmentation. ... As soon as the network engineers changed the MTU from the default of 1500 to 1400, all domain traffic stopped and they detected a ton of errors, so we restored the MTU to 1500. ...
      (microsoft.public.windows.server.active_directory)
    • Need example of working PAM.CONF file that enables ssh login using winbind and AD
      ... login into my system using ssh. ... (explicit because of pam_rhost_auth) ... # Default definitions for Authentication management ... cron account required ...
      (SunManagers)
    • WinXP laptop, simple-style login conn to Win2000 share, error
      ... So, to simplify matters, add all machines to the domain. ... local machine accounts) to keep track of... ... the local account information. ... the "pushbutton login") and configure the Laptops to auto ...
      (microsoft.public.windowsxp.security_admin)