ssh.com and pam




The short story is that we cannot seem to configure a Linux host using
ssh.com's version of ssh to use LDAP for PAM authentication. We are
successful using OpenSSH.

If anyone has configured SSH.com to use LDAP via PAM, we would
appreciate your contacting us.


The longer version of the problem is:

Problem configuring ssh.com 3.2.9.1 with PAM on SuSE.

We are trying to begin using OpenLDAP for our accounts and to that end
we have created an LDAP server and populated it with some account
information.

On a standard SuSE 9.3 installation, we configured it to get its
account information from our LDAP server. This configuration was done
via the YaST2 tool and was as standard as we could make it.

The OpenSSH server that comes with the distribution does successfully
authenticate users from the LDAP server.

For historical reasons, we have been using the last free version of
ssh from ssh.com: version 3.2.9.1.

We have recompiled ssh.com on this system, making sure that the PAM
libraries are enabled. We then copied the /etc/pam.d/sshd file to
/etc/pam.d/sshd2.

Here are the contents (with all the includes resolved):

auth required pam_env.so
auth required pam_unix2.so
auth required pam_nologin.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass
use_authtok
session required pam_limits.so
session required pam_unix2.so

We configured the ssh.com sshd2 to use keyboard-interactive with the
following options:

AuthKbdInt.NumOptional 0
AuthKbdInt.Optional pam,password
AuthKbdInt.Required PAM
AuthKbdInt.Retries 1

Forcing a connection to use keyboard-interactive, we get prompted for
PAM authentication, which always fails.

Looking at the debug info for the daemon we see the following before
the PAM authentication prompt occurs:

SshUnixUser/sshunixuser.c:408/ssh_login_permitted:
Can't find "user"'s shadow - access denied.

At this point we have not seen any connection to the LDAP server.

A few lines later we see:

auth-kbd-int: User 'user' does not exist, faking real transaction.

This corresponds well to the PAM authentication prompt. There are
connections to the LDAP server at this time and it really appears to
be doing authentication, but the login is still refused.

We have also tried following the specific instructions at ssh.com for
configuring this version to work with PAM. Those instructions use the
pam_unix.so module with some options. In particular:

auth required pam_unix.so shadow nullok

Unfortunately, /lib/security/pam_unix.so is identical to
/lib/security/pam_unix2.so, and doesn't support the "shadow" option.

It appears to us as if the ssh.com sshd2 can use PAM, but that it is
choosing not to during the early part of the authentication, when it
is looking for the user's shadow information.

Any suggestions on further things to try would be most welcome. We are
neither a PAM nor an LDAP experts, though we have been cramming. We
have
certainly tried more thing than documented here, but this is already
too long.
--

Thanks in advance for any help.

.