Re: SSH authentication via PAM
From: Gerald C. (list_at_psycho-hazard.net)
Date: 03/01/04
- Previous message: Jim Conner: "RE: SSH with OpenSSH and Putty - Please Help!"
- Maybe in reply to: Cook, Garry: "SSH authentication via PAM"
- Next in thread: Cook, Garry: "RE: SSH authentication via PAM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 1 Mar 2004 21:08:28 +0100 To: secureshell@securityfocus.com
Hi,
First, are you sure that your sshd has PAM support enabled ? The only way i
find now to check it is a (dirty) strings /usr/sbin/sshd | grep PAM
Next, did you specified in you sshd_config:
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
#UsePAM yes
or
PAMAuthenticationViaKbdInt yes
(depending on version, see man sshd_config)
Then, when writting the /etc/pam.d/ssh, keep in mind that the 4 sections of
the pam configuration file must be ok (auth,account,session,password). If one
of the step fails, the whole authentification fail (correct me if i'm wrong).
And then, when i ssh localhost, i can see on my /var/log/auth.log:
Mar 1 21:04:23 jail ssh(pam_unix)[16063]: session opened for user binarym by
(uid=1000)
Mar 1 21:04:38 jail ssh(pam_unix)[16063]: session closed for user binarym
Whishing this message will help you,
Gérald.
Le Mon, Mar 01, 2004 at 10:57:25AM -0700, Cook, Garry a écrit:
> I'm attempting to integrate SSH with Pluggable Authentication Modules on
> a Linux host. Specifically, I'm using pam_tacplus to authenticate users
> via a Cisco ACS server. My problem is that the ACS has usernames
> different from those on the Linux host. I've setup the sshd config in
> /etc/pam.d/ to call the pam_tacplus module for authentication, although
> it appears as though SSH first checks the username against /etc/passwd
> or /etc/shadow to verify that I am a legitimate user. Debug output from
> /var/log/secure shows this:
>
> Feb 29 23:49:04 netmon2 sshd[7158]: Illegal user foo.bar from
> 172.16.100.40
> Feb 29 23:49:10 netmon2 sshd[7158]: pam_sm_authenticate: called
> (pam_tacplus v1.2.9)
> Feb 29 23:49:10 netmon2 sshd[7158]: pam_sm_authenticate: user [NOUSER]
> obtained
>
> SSH tests the username against legitimate users on localhost and reports
> that my username is illegal, so it then passes 'NOUSER' to the ACS via
> pam_sm_authenticate.
>
> Is there any way to disable this test and have a username correctly
> passed to pam_sm_authenticate? I've read all the man pages and FAQs that
> I can get my hands on, and googled quite extensively. I'm either missing
> something or else there is very little information out there pertaining
> to this issue.
>
> Perhaps there is a better way than attempting to disable this test?
>
> Any insight would be greatly appreciated.
>
> Garry W. Cook, CCNA
> Network Infrastructure Manager
> MACTEC, Inc. - http://www.mactec.com/
> 303.308.6228 (Office) - 720.220.1862 (Mobile)
-- Gérald Colangelo list at psycho-hazard dot net http://psycho-hazard.net/~binarym/
- Previous message: Jim Conner: "RE: SSH with OpenSSH and Putty - Please Help!"
- Maybe in reply to: Cook, Garry: "SSH authentication via PAM"
- Next in thread: Cook, Garry: "RE: SSH authentication via PAM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
