Re: PAM Authentication via ldap *without* disabling PasswordAuthentication (3.7.1 or higher)

• Previous message: Eric J Bennett: "PAM Authentication via ldap *without* disabling PasswordAuthentication (3.7.1 or higher)"
• In reply to: Eric J Bennett: "PAM Authentication via ldap *without* disabling PasswordAuthentication (3.7.1 or higher)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Jul 2004 17:55:53 +0200
To: Eric J Bennett <eric.bennett@itouch.com.au>

Hi Eric,hi All

We have same problem with PasswordAuthentication/pam_ldap
I spent lot of time with debugging this, but without any result...

Peter

On Tue, Jul 20, 2004 at 11:44:07AM +1000, Eric J Bennett wrote:
> Hi guys,
>
> I've googled extensively on this issue without really finding an
> acceptable answer, it appears that after OpenSSH 3.7.1 UsePAM implicitly
> disables PasswordAuthentication? Is it possible to run proper pam
> authentication and use the PasswordAuthentication method? I ask because
> of sites that have legacy systems running ssh clients which do not
> support password challenge / response encryption that seems to replace
> the old method, and there appears to be no way to actually enable
> password authentication, and at the same time use PAM?
>
> Just in case I'm just missing something and it is possible but my config
> is wrong, I have included my files.
>
> Regards
> Eric
>
>
>
> /etc/ssh/sshd_config
> Protocol 2,1
> SyslogFacility AUTH
> PermitRootLogin no
> PasswordAuthentication yes
> UsePAM yes
> X11Forwarding yes
> UsePrivilegeSeparation no
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
>
> /etc/pam.d/sshd
> #%PAM-1.0
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_pwdb.so shadow nodelay
> auth required /lib/security/pam_nologin.so
> account required /lib/security/pam_pwdb.so
> password required /lib/security/pam_cracklib.so
> password required /lib/security/pam_pwdb.so shadow nullok use_authtok
> session required /lib/security/pam_pwdb.so
> session required /lib/security/pam_limits.so
>

• Previous message: Eric J Bennett: "PAM Authentication via ldap *without* disabling PasswordAuthentication (3.7.1 or higher)"
• In reply to: Eric J Bennett: "PAM Authentication via ldap *without* disabling PasswordAuthentication (3.7.1 or higher)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ssh: publik key versus tunneled password ... it's a good idea to disable password authentication. ... If you're using pam you'll also have to change the pam config. ... In sshd_conf I have UsePAM set to yes, I have PasswordAuthentication set ... "Permission denied (publickey)" was displayed and the session terminated. ... (uk.comp.os.linux) Re: sshd, how is this possible, security bug? ... > PubkeyAuthentication yes ... > I thought I had disabled password authentication with: PasswordAuthentication no ... however, pam is enabled, and it ... (freebsd-questions) Re: per user authentication types? ... You can do some limited things (eg setting a given user's passwd field in /etc/shadow to "*", which will prevent password authentication while still allowing non-password authentications) but there's no general method. ... There's been some workrecently to extend sshd_config to allow it to apply some config directives based on certain attributes of the connection. ... PasswordAuthentication yes ... Good judgement comes with experience. ... (SSH) PAM Authentication via ldap *without* disabling PasswordAuthentication (3.7.1 or higher) ... Is it possible to run proper pam ... authentication and use the PasswordAuthentication method? ... password authentication, and at the same time use PAM? ... auth required /lib/security/pam_pwdb.so shadow nodelay ... (SSH)