Re: SSH authentication via PAM

From: Gerald C. (list_at_psycho-hazard.net)
Date: 03/01/04

  • Next message: Dave Howe: "Re: SSH with OpenSSH and Putty - Please Help!"
    Date: Mon, 1 Mar 2004 21:08:28 +0100
    To: secureshell@securityfocus.com
    
    

    Hi,

    First, are you sure that your sshd has PAM support enabled ? The only way i
    find now to check it is a (dirty) strings /usr/sbin/sshd | grep PAM
    Next, did you specified in you sshd_config:

    # Set this to 'yes' to enable PAM authentication (via challenge-response)
    # and session processing. Depending on your PAM configuration, this may
    #UsePAM yes

    or

    PAMAuthenticationViaKbdInt yes

    (depending on version, see man sshd_config)

    Then, when writting the /etc/pam.d/ssh, keep in mind that the 4 sections of
    the pam configuration file must be ok (auth,account,session,password). If one
    of the step fails, the whole authentification fail (correct me if i'm wrong).

    And then, when i ssh localhost, i can see on my /var/log/auth.log:

    Mar 1 21:04:23 jail ssh(pam_unix)[16063]: session opened for user binarym by
    (uid=1000)
    Mar 1 21:04:38 jail ssh(pam_unix)[16063]: session closed for user binarym

    Whishing this message will help you,

    Gérald.

    Le Mon, Mar 01, 2004 at 10:57:25AM -0700, Cook, Garry a écrit:
    > I'm attempting to integrate SSH with Pluggable Authentication Modules on
    > a Linux host. Specifically, I'm using pam_tacplus to authenticate users
    > via a Cisco ACS server. My problem is that the ACS has usernames
    > different from those on the Linux host. I've setup the sshd config in
    > /etc/pam.d/ to call the pam_tacplus module for authentication, although
    > it appears as though SSH first checks the username against /etc/passwd
    > or /etc/shadow to verify that I am a legitimate user. Debug output from
    > /var/log/secure shows this:
    >
    > Feb 29 23:49:04 netmon2 sshd[7158]: Illegal user foo.bar from
    > 172.16.100.40
    > Feb 29 23:49:10 netmon2 sshd[7158]: pam_sm_authenticate: called
    > (pam_tacplus v1.2.9)
    > Feb 29 23:49:10 netmon2 sshd[7158]: pam_sm_authenticate: user [NOUSER]
    > obtained
    >
    > SSH tests the username against legitimate users on localhost and reports
    > that my username is illegal, so it then passes 'NOUSER' to the ACS via
    > pam_sm_authenticate.
    >
    > Is there any way to disable this test and have a username correctly
    > passed to pam_sm_authenticate? I've read all the man pages and FAQs that
    > I can get my hands on, and googled quite extensively. I'm either missing
    > something or else there is very little information out there pertaining
    > to this issue.
    >
    > Perhaps there is a better way than attempting to disable this test?
    >
    > Any insight would be greatly appreciated.
    >
    > Garry W. Cook, CCNA
    > Network Infrastructure Manager
    > MACTEC, Inc. - http://www.mactec.com/
    > 303.308.6228 (Office) - 720.220.1862 (Mobile)

    -- 
    Gérald Colangelo
    list at psycho-hazard dot net
    http://psycho-hazard.net/~binarym/
    

  • Next message: Dave Howe: "Re: SSH with OpenSSH and Putty - Please Help!"

    Relevant Pages

    • Re: OpenSSH and pam_krb5
      ... > with GSSAPI and PAM authentication. ... this data is present in a separate process (the "authentication ... application (ie sshd). ...
      (SSH)
    • Re: OpenSSH 3.8 Released
      ... >the login works without needing a keylogin. ... >PAM routines authenticate the user without doing a keylogin. ... Here's where it comes off the rails: for various reasons, in sshd the ... actual PAM authentication is done in an authentication "thread" that is ...
      (comp.security.ssh)
    • Re: sshd: PAM + key authentication
      ... To realize this, I used PAM. ... Then, via PAM and the host attribute in the LDAP DB, I only ... I used password authentication. ... it seems sshd ignores PAM when someone ...
      (freebsd-questions)
    • Re: sshd: PAM + key authentication
      ... I set up a some sshd servers which authenticates their users ... Then, via PAM and the host attribute in the LDAP DB, I ... with key authentication, and could log in... ...
      (freebsd-questions)
    • Re: PAM changing user name
      ... >bypassing at least some of sshd's account validity checks. ... My thinking is that those checks should be done *after* the PAM ... authentication, ... sshd validity checks could be implemented (ssh-specifically if so ...
      (comp.security.ssh)