PAM auth and account with openssh

From: Victor Engle (vic_at_summerseas.com)
Date: 01/28/05

  • Next message: Alexander Klimov: "Re: sftp between UNIX box and NT Server using SFTP Root."
    Date: Fri, 28 Jan 2005 08:27:17 -0500
    To: SSH list <secureshell@securityfocus.com>
    
    

    Hi,

    I have a Sun LDAP server version 5.2 that I am using as a solaris naming
    service. Everything is working as expected except for a problem with
    sshd and pam. With the following entries in pam.conf everything works
    well except that password expiration from the ldap server is ignored.

    sshd auth requisite pam_authtok_get.so.1
    sshd auth required pam_dhkeys.so.1
    sshd auth sufficient pam_unix_auth.so.1
    sshd auth required pam_ldap.so.1 try_first_pass
    sshd account required pam_unix_account.so.1

    If I use the following entries in pam.conf everything works including
    password expiration unless I use a public key for authentication. If I
    have a public key in place I am unable to log in. I get prompted for a
    password and that fails. If I remove the public key I am prompted for a
    password and get successfully authenticated.

    sshd auth requisite pam_authtok_get.so.1
    sshd auth required pam_dhkeys.so.1
    sshd auth sufficient pam_unix_auth.so.1
    sshd auth required pam_ldap.so.1 try_first_pass
    sshd account sufficient pam_ldap.so.1
    sshd account binding pam_unix_account.so.1 server_policy

    Here is the ssh client debug output from trying to login with the public
    key and the above pam.conf entries.

    [vengle@datamart-->]ssh -v sniper
    OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004
    debug1: Reading configuration data /usr/local/etc/ssh_config
    debug1: Connecting to sniper [66.43.143.232] port 22.
    debug1: Connection established.
    debug1: identity file /home/vengle/.ssh/identity type -1
    debug1: identity file /home/vengle/.ssh/id_rsa type 1
    debug1: identity file /home/vengle/.ssh/id_dsa type -1
    debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
    debug1: match: OpenSSH_3.9p1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.9p1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'sniper' is known and matches the RSA host key.
    debug1: Found key in /home/vengle/.ssh/known_hosts:3
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/vengle/.ssh/identity
    debug1: read PEM private key done: type RSA
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Offering public key: /home/vengle/.ssh/id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 149
    debug1: read PEM private key done: type RSA
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Trying private key: /home/vengle/.ssh/id_dsa
    debug1: Next authentication method: keyboard-interactive
    Password:

    The server accepts the key but continues to try to authenticate me. Any
    help or direction would be greatly appreciated.

    Thanks,
    Vic Engle


  • Next message: Alexander Klimov: "Re: sftp between UNIX box and NT Server using SFTP Root."

    Relevant Pages