OpenSSH, PAM and Host Based Authentication

From: tubabeat (kevin_at_kevinspicer.co.uk)
Date: 12/20/04

  • Next message: Hannes Erven: "Re: Restrict tunnels?" 
    Date: 20 Dec 2004 06:12:05 -0800

    Hello,

    I'm having a few problems getting the above combination to work as
    expected...

    I'm trying to get to a situation where my machines will accept host
    based
    authentication from each other, but require users to log in with a
    password from
    elsewhere. I've set up a pam stack (using pam_ldap) that works fine
    and set up
    hosts.equiv and ssh_known_hosts2 However with both...
    HostbasedAuthentication yes
    And
    usePam yes

    I am unable to login from the hosts listed in shosts.equiv. doing an
    ssh -v -v hostname I see....

    debug2: we sent a hostbased packet, wait for reply
    debug1: Remote: Accepted for myserver.mydomainl [xxx.xxx.xxx.xxx] by \
    /etc/hosts.equiv.

    But still get prompted for a password - even if I enter a correct
    password I'm still not allowed access.

    If I disable HostbasedAuthentication password based login works fine.
    Likewise if I
    set usePAM no host based authentication works, but then my LDAP users
    cannot
    authenticate using a password from other machines.

    I'm using openSSH 3.9.p1 (from the sunfreeware package) on Solaris 9
    sparc with Suns pam_ldap

    The non default sections of my sshd_config follow

    Protocol 2
    PermitRootLogin no
    HostbasedAuthentication yes
    PasswordAuthentication no
    UsePAM yes
    PrintMotd no
    Banner /usr/local/etc/ssh_banner
    Subsystem sftp /usr/local/libexec/sftp-server

  • Next message: Hannes Erven: "Re: Restrict tunnels?"