Re: Solaris + OpenSSH + LDAP + PAM

From: Derek Harkness (dharknes_at_umd.umich.edu)
Date: 04/02/04

  • Next message: Darren Tucker: "Re: Solaris + OpenSSH + LDAP + PAM" 
    Date: Thu, 1 Apr 2004 20:49:28 -0500
To: Darren Tucker <dtucker@zip.com.au>

    Cool thanks! So this is ultimately more of client problem? Since the
    client should automatically select different authentication methods
    based on what the server says.

    Unfortunately getpwnam()/getspnam() don't return anything on my system
    since I'm using LDAP and I haven't given root the ability to retrieve
    password information. So PAM really is the only way to get that
    information.

    Thank for all the help!
    Derek

    On Apr 1, 2004, at 8:35 PM, Darren Tucker wrote:

    > Derek Harkness wrote:
    >> I downgraded ssh to 3.4p1+patches and everything works fine.
    >> But it seems that 3.8 isn't passing the password information to pam
    >> correctly, at least on Solaris. I'll upgrade my Linux box to 3.8 and
    >> see if it has the same problem.
    >
    > PAM behaves differently starting at 3.7p1. In order to use PAM to
    > authenticate, you *must* use keyboard-interactive (sshv2) or TIS
    > Challenge-response (sshv1) for OpenSSH 3.7p1 and newer. Password
    > authentication will use getpwnam()/getspnam() and not PAM.
    >
    > --
    > Darren Tucker (dtucker at zip.com.au)
    > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    > Good judgement comes with experience. Unfortunately, the experience
    > usually comes from bad judgement.
    >
    "This world is a comedy to those who think and a tragedy to those who
    feel."

  • Next message: Darren Tucker: "Re: Solaris + OpenSSH + LDAP + PAM"

    Relevant Pages

    • Re: Authenticate a User.
      ... >> to PAM if he likes. ... > adding more authentication methods later easy. ... This is the real strength of PAM (Pluggable Authentication Modules), ... >> the client is on different machine. ...
      (comp.os.linux.development.apps)
    • Re: Disable password authentication
      ... DT> is configured to used PAM then you could arrange for PAM to do it... ... authentication and thus the client never engages in it. ... the failed authentication attempt will count against the server's ... Also note that Tectia *can* configure authentication methods ...
      (comp.security.ssh)
    • linux authentication
      ... I'm searching for a list of authentication methods in linux like PAM, ... LDAP and so on. ...
      (comp.security.unix)