Re: SSH authentication via PAM

From: Gerald C. (list_at_psycho-hazard.net)
Date: 03/01/04

  • Next message: Dave Howe: "Re: SSH with OpenSSH and Putty - Please Help!"
    Date: Mon, 1 Mar 2004 21:08:28 +0100
    To: secureshell@securityfocus.com
    
    

    Hi,

    First, are you sure that your sshd has PAM support enabled ? The only way i
    find now to check it is a (dirty) strings /usr/sbin/sshd | grep PAM
    Next, did you specified in you sshd_config:

    # Set this to 'yes' to enable PAM authentication (via challenge-response)
    # and session processing. Depending on your PAM configuration, this may
    #UsePAM yes

    or

    PAMAuthenticationViaKbdInt yes

    (depending on version, see man sshd_config)

    Then, when writting the /etc/pam.d/ssh, keep in mind that the 4 sections of
    the pam configuration file must be ok (auth,account,session,password). If one
    of the step fails, the whole authentification fail (correct me if i'm wrong).

    And then, when i ssh localhost, i can see on my /var/log/auth.log:

    Mar 1 21:04:23 jail ssh(pam_unix)[16063]: session opened for user binarym by
    (uid=1000)
    Mar 1 21:04:38 jail ssh(pam_unix)[16063]: session closed for user binarym

    Whishing this message will help you,

    Gérald.

    Le Mon, Mar 01, 2004 at 10:57:25AM -0700, Cook, Garry a écrit:
    > I'm attempting to integrate SSH with Pluggable Authentication Modules on
    > a Linux host. Specifically, I'm using pam_tacplus to authenticate users
    > via a Cisco ACS server. My problem is that the ACS has usernames
    > different from those on the Linux host. I've setup the sshd config in
    > /etc/pam.d/ to call the pam_tacplus module for authentication, although
    > it appears as though SSH first checks the username against /etc/passwd
    > or /etc/shadow to verify that I am a legitimate user. Debug output from
    > /var/log/secure shows this:
    >
    > Feb 29 23:49:04 netmon2 sshd[7158]: Illegal user foo.bar from
    > 172.16.100.40
    > Feb 29 23:49:10 netmon2 sshd[7158]: pam_sm_authenticate: called
    > (pam_tacplus v1.2.9)
    > Feb 29 23:49:10 netmon2 sshd[7158]: pam_sm_authenticate: user [NOUSER]
    > obtained
    >
    > SSH tests the username against legitimate users on localhost and reports
    > that my username is illegal, so it then passes 'NOUSER' to the ACS via
    > pam_sm_authenticate.
    >
    > Is there any way to disable this test and have a username correctly
    > passed to pam_sm_authenticate? I've read all the man pages and FAQs that
    > I can get my hands on, and googled quite extensively. I'm either missing
    > something or else there is very little information out there pertaining
    > to this issue.
    >
    > Perhaps there is a better way than attempting to disable this test?
    >
    > Any insight would be greatly appreciated.
    >
    > Garry W. Cook, CCNA
    > Network Infrastructure Manager
    > MACTEC, Inc. - http://www.mactec.com/
    > 303.308.6228 (Office) - 720.220.1862 (Mobile)

    -- 
    Gérald Colangelo
    list at psycho-hazard dot net
    http://psycho-hazard.net/~binarym/
    

  • Next message: Dave Howe: "Re: SSH with OpenSSH and Putty - Please Help!"