LDAP and OpenSSH
From: Steve Bassler (sbassle_at_alleghenyenergy.com)
Date: 06/02/04
- Previous message: Eric Parent: "How can I create scripts with plink and/or psftp ?"
- Next in thread: Darren Tucker: "Re: LDAP and OpenSSH"
- Reply: Darren Tucker: "Re: LDAP and OpenSSH"
- Reply: Darren Tucker: "Re: LDAP and OpenSSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 2 Jun 2004 11:49:13 -0700
We are installing an LDAP server for AIX and Solaris login
authentication. (FWIW, the LDAP server is IBM's Directory Server,
v5.1.) On Solaris, we have no trouble authenticating with either
telnet or SSH. On an AIX 5.2.02 client, using the LDAP client bundled
with Directory server, we've run into a problem. Telnet gets through,
but SSH is refused.
Running PuTTY with Pagaent on a Windows workstation, user <xxxx> gets
prompted for his password (twice) and finally receives the following
error:
Server sent disconnect message
type 2 (SSH_DISCONNECT_PROTOCOL_ERROR):
"Too many authentication failures for <xxxx>"
Attempting to login from another AIX server with "ssh -vvv <hostname>"
and ForwardAgent set to yes, we get (extracting what looks like the
relevant text):
debug1: Found key in /home/<xxxx>/.ssh/known_hosts:1
debug2: bits set: 1611/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/<xxxx>/.ssh/id_rsa (20034b98)
debug2: key: /home/<xxxx>/.ssh/identity (0)
debug2: key: /home/<xxxx>/.ssh/id_dsa (0)
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/<xxxx>/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Trying private key: /home/<xxxx>/.ssh/identity
debug3: no such identity: /home/<xxxx>/.ssh/identity
debug1: Trying private key: /home/<xxxx>/.ssh/id_dsa
debug3: no such identity: /home/<xxxx>/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
In the syslog, we get the following series of messages:
Jun 2 13:47:46 <hostname> sshd[15984]: Password can't be changed for
user <xxxx>: 3004-619 Security method "LDAP" could not be loaded.
Jun 2 13:47:46 <hostname> sshd[9120]: Illegal user <xxxx> from
<nn.nn.nn.nn>
Jun 2 13:47:46 <hostname> syslog: ssh: failed login attempt for
UNKNOWN_USER from <hostname>
Jun 2 13:47:46 <hostname> sshd[9120]: Failed none for illegal user
<xxxx> from <nn.nn.nn.nn> port 4167 ssh2
Jun 2 13:47:49 <hostname> sshd[9120]: Failed password for illegal
user <xxxx> from <nn.nn.nn.nn> port 4167 ssh2
Jun 2 13:47:49 <hostname> syslog: ssh: failed login attempt for
UNKNOWN_USER from <hostname>
I have no idea why it appears to be trying to change the password. I
know it is not expired. User <xxxx> is set up with SYSTEM = "ldap or
compat" and registry = LDAP in /etc/security/user.
ssh -V returns:
OpenSSH_3.7.1p1-pwexp24, SSH protocols 1.5/2.0, OpenSSL 0.9.6c 21 dec
2001
(That's Darren Tucker's password expiration patch.)
Any help would be appreciated.
Thanks,
Steve
- Previous message: Eric Parent: "How can I create scripts with plink and/or psftp ?"
- Next in thread: Darren Tucker: "Re: LDAP and OpenSSH"
- Reply: Darren Tucker: "Re: LDAP and OpenSSH"
- Reply: Darren Tucker: "Re: LDAP and OpenSSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
