RE: SSH authentication via PAM
From: Cook, Garry (GWCOOK_at_mactec.com)
Date: 03/01/04
- Previous message: Dave Howe: "Re: SSH with OpenSSH and Putty - Please Help!"
- Maybe in reply to: Cook, Garry: "SSH authentication via PAM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 1 Mar 2004 13:48:59 -0700 To: <secureshell@securityfocus.com>
Gerald C. wrote:
> Hi,
>
> First, are you sure that your sshd has PAM support enabled ?
> The only way i
> find now to check it is a (dirty) strings /usr/sbin/sshd | grep PAM
> Next, did you specified in you sshd_config:
>
> # Set this to 'yes' to enable PAM authentication (via
> challenge-response) # and session processing. Depending on your PAM
> configuration, this may
> #UsePAM yes
>
> or
>
> PAMAuthenticationViaKbdInt yes
Yes, PAM is enabled using 'PAMAuthenticationViaKbdInt yes' in /etc/ssh/sshd_config
> (depending on version, see man sshd_config)
>
> Then, when writting the /etc/pam.d/ssh, keep in mind that the 4
> sections of the pam configuration file must be ok
> (auth,account,session,password). If one
> of the step fails, the whole authentification fail (correct
> me if i'm wrong).
Actually, that's not the way I understand it to work. If you stack several module-types for a particular service (sshd - auth,auth,auth), then all modules in the stack must pass in order for that service to be offered. However, this also depends upon the flags set per service/type and their order in the stack. It's quite possible to pass the authentication but fail for accounting and/or authorization.
Regardless of how PAM works, I won't be able to get any of the module-types to authenticate, authorize, or account if sshd does not pass the username correctly.
>
>
> Le Mon, Mar 01, 2004 at 10:57:25AM -0700, Cook, Garry a écrit:
>> I'm attempting to integrate SSH with Pluggable Authentication
>> Modules on a Linux host. Specifically, I'm using pam_tacplus to
>> authenticate users via a Cisco ACS server. My problem is that the
>> ACS has usernames different from those on the Linux host. I've setup
>> the sshd config in /etc/pam.d/ to call the pam_tacplus module for
>> authentication, although it appears as though SSH first checks the
>> username against /etc/passwd or /etc/shadow to verify that I am a
>> legitimate user. Debug output from /var/log/secure shows this:
>>
>> Feb 29 23:49:04 netmon2 sshd[7158]: Illegal user foo.bar from
>> 172.16.100.40 Feb 29 23:49:10 netmon2 sshd[7158]:
>> pam_sm_authenticate: called (pam_tacplus v1.2.9) Feb 29 23:49:10
>> netmon2 sshd[7158]: pam_sm_authenticate: user [NOUSER] obtained
>>
>> SSH tests the username against legitimate users on localhost and
>> reports that my username is illegal, so it then passes 'NOUSER' to
>> the ACS via pam_sm_authenticate.
>>
>> Is there any way to disable this test and have a username correctly
>> passed to pam_sm_authenticate? I've read all the man pages and FAQs
>> that I can get my hands on, and googled quite extensively. I'm
>> either missing something or else there is very little information
>> out there pertaining to this issue.
>>
>> Perhaps there is a better way than attempting to disable this test?
>>
>> Any insight would be greatly appreciated.
>>
>> Garry W. Cook, CCNA
>> Network Infrastructure Manager
>> MACTEC, Inc. - http://www.mactec.com/
>> 303.308.6228 (Office) - 720.220.1862 (Mobile)
- Previous message: Dave Howe: "Re: SSH with OpenSSH and Putty - Please Help!"
- Maybe in reply to: Cook, Garry: "SSH authentication via PAM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
