and pam

The short story is that we cannot seem to configure a Linux host using's version of ssh to use LDAP for PAM authentication. We are
successful using OpenSSH.

If anyone has configured to use LDAP via PAM, we would
appreciate your contacting us.

The longer version of the problem is:

Problem configuring with PAM on SuSE.

We are trying to begin using OpenLDAP for our accounts and to that end
we have created an LDAP server and populated it with some account

On a standard SuSE 9.3 installation, we configured it to get its
account information from our LDAP server. This configuration was done
via the YaST2 tool and was as standard as we could make it.

The OpenSSH server that comes with the distribution does successfully
authenticate users from the LDAP server.

For historical reasons, we have been using the last free version of
ssh from version

We have recompiled on this system, making sure that the PAM
libraries are enabled. We then copied the /etc/pam.d/sshd file to

Here are the contents (with all the includes resolved):

auth required
auth required
auth required
account required
password required nullok
password required nullok use_first_pass
session required
session required

We configured the sshd2 to use keyboard-interactive with the
following options:

AuthKbdInt.NumOptional 0
AuthKbdInt.Optional pam,password
AuthKbdInt.Required PAM
AuthKbdInt.Retries 1

Forcing a connection to use keyboard-interactive, we get prompted for
PAM authentication, which always fails.

Looking at the debug info for the daemon we see the following before
the PAM authentication prompt occurs:

Can't find "user"'s shadow - access denied.

At this point we have not seen any connection to the LDAP server.

A few lines later we see:

auth-kbd-int: User 'user' does not exist, faking real transaction.

This corresponds well to the PAM authentication prompt. There are
connections to the LDAP server at this time and it really appears to
be doing authentication, but the login is still refused.

We have also tried following the specific instructions at for
configuring this version to work with PAM. Those instructions use the module with some options. In particular:

auth required shadow nullok

Unfortunately, /lib/security/ is identical to
/lib/security/, and doesn't support the "shadow" option.

It appears to us as if the sshd2 can use PAM, but that it is
choosing not to during the early part of the authentication, when it
is looking for the user's shadow information.

Any suggestions on further things to try would be most welcome. We are
neither a PAM nor an LDAP experts, though we have been cramming. We
certainly tried more thing than documented here, but this is already
too long.

Thanks in advance for any help.


Relevant Pages

  • and pam
    ... If anyone has configured to use LDAP via PAM, ... account information from our LDAP server. ... PAM authentication, which always fails. ...
  • and pam
    ... If anyone has configured to use LDAP via PAM, ... account information from our LDAP server. ... PAM authentication, which always fails. ...
  • pam services under ldap
    ... I am attempting to setup various pam modules to consult our new LDAP ... I have setup my /etc/pam.d sudo file on the client this ... In my openldap logs on the LDAP server there appears to be no activity ...
  • Re: kde/kdm + nsswitch + ldap = nologon
    ... gdm offers pam integration by the description. ... openldap-sasl-client-2.4.11 Open source LDAP client implementation with ... CONSTRAINT=off "With Attribute Constraint overlay" ... # See slapd.conffor details on configuration options. ...
  • Re: LDAP authentication confusion
    ... PAM and NSS switch are two different subsystems. ... With ldap in nsswitch.conf for users and groups you can lookup a LDAP ... non-portable crypt hashes it could work. ... unless the calling process is root. ...