Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

LDAP and SSH causing problems
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
HopChop
n00b
n00b


Joined: 25 Aug 2002
Posts: 17
PostPosted: Mon Mar 01, 2004 10:39 pm    Post subject: LDAP and SSH causing problems Reply with quote
Hello!

I've been runnig a server for a while which authenticate a bunch of users via ldap to my central ldapserver. Last week I was a fool and ran a emerge -u system which I thought worked out just fine. Now I know better, it didn't work as it should. No users can log on to the machine via ssh anymore. They can authenticate via imap and pop3 as well as login via the console. "getent passwd" shows all users (both files and ldap) so it should work.

Some files:

Code:


/etc/pam.d/sshd
#%PAM-1.0
 
auth       sufficient   /lib/security/pam_ldap.so debug
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so
account    sufficient   /lib/security/pam_ldap.so
account    required     pam_stack.so service=system-auth
password   sufficient   /lib/security/pam_ldap.so
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

--------------------------------------------------------------------

Code:

nsswitch.conf

passwd:      files ldap
shadow:      files ldap
group:       files ldap

...


My sshd_config has UsePAM=yes so it should use pam, but doesn't. Any hints on where to look are appreciated!
Back to top
View user's profile Send private message
sunil
n00b
n00b


Joined: 03 Mar 2004
Posts: 4
PostPosted: Thu Mar 04, 2004 1:12 pm    Post subject: Reply with quote
Perhaps openldap got updated too, so maybe configuration files got changed, because they were not CONFIG_PROTECT 'ed.
If you still need password authentication, make sure at least
Code:

UsePAM yes
UsePasswordAuthentication yes
PermitEmptyPasswords no

are set (even not commented, for default might change during update). However, using keys is a better solution.

If you see something like
Code:

[sshd] Failed password for user from host

in your log, it's most likely such a problem. You should read instead:
Code:

[sshd] Accepted keyboard-interactive/pam for user from host

or
Code:

[sshd] pam_ldap: error trying to bind as user "uid=user, your dn" (Invalid credentials)
[sshd] error: PAM: Authentication failure
[sshd] Failed keyboard-interactive/pam for user from host


Your /etc/pam.d/sshd looks ok, so i guess it's the above ssh problem. But i'd rather move ldap configuration into system-auth and use pam_stack.so instead. Your pam configuration then might look like:
Code:

#%PAM-1.0
# /etc/pam.d/system-auth

auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok use_authtok md5 shadow use_first_pass
password   sufficient   /lib/security/pam_ldap.so use_authok use_first_pass
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    sufficient   /lib/security/pam_ldap.so
session    sufficient   /lib/security/pam_unix.so
session    required     /lib/security/pam_deny.so


Code:

#%PAM-1.0
# /etc/pam.d/sshd

auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
Back to top
View user's profile Send private message
HopChop
n00b
n00b


Joined: 25 Aug 2002
Posts: 17
PostPosted: Sat Mar 06, 2004 4:41 pm    Post subject: Reply with quote
Well, something got very wrong in the update :(

I changed the pam.d settings (both system-auth and sshd) to what u suggested and it still doesn't work. The output of my log are here. I can't tell what's wrong from it, but maybe someone can. In the case where the log below appears, I try to log in using the OpenSSH client and with a user thats in LDAP.

Code:

Mar  6 17:38:50 august sshd[22581]: debug1: Forked child 10437.
Mar  6 17:38:50 august sshd[10437]: Connection from 129.16.159.158 port 36112
Mar  6 17:38:50 august sshd[10437]: debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
Mar  6 17:38:50 august sshd[10437]: debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 pat OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*
Mar  6 17:38:50 august sshd[10437]: debug1: Enabling compatibility mode for protocol 2.0
Mar  6 17:38:50 august sshd[10437]: debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
Mar  6 17:38:50 august sshd[10437]: debug1: list_hostkey_types: ssh-rsa,ssh-dss
Mar  6 17:38:50 august sshd[10437]: debug1: SSH2_MSG_KEXINIT sent
Mar  6 17:38:50 august sshd[10437]: debug1: SSH2_MSG_KEXINIT received
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: none,zlib
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: none,zlib
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit:
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit:
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: first_kex_follows 0
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: reserved 0
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: none
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: none
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit:
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit:
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: first_kex_follows 0
Mar  6 17:38:50 august sshd[10437]: debug2: kex_parse_kexinit: reserved 0
Mar  6 17:38:50 august sshd[10437]: debug2: mac_init: found hmac-md5
Mar  6 17:38:50 august sshd[10437]: debug1: kex: client->server aes128-cbc hmac-md5 none
Mar  6 17:38:50 august sshd[10437]: debug2: mac_init: found hmac-md5
Mar  6 17:38:50 august sshd[10437]: debug1: kex: server->client aes128-cbc hmac-md5 none
Mar  6 17:38:50 august sshd[10437]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Mar  6 17:38:50 august sshd[10437]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Mar  6 17:38:50 august sshd[10437]: debug2: dh_gen_key: priv key bits set: 135/256
Mar  6 17:38:50 august sshd[10437]: debug2: bits set: 1601/3191
Mar  6 17:38:50 august sshd[10437]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Mar  6 17:38:50 august sshd[10437]: debug2: bits set: 1606/3191
Mar  6 17:38:50 august sshd[10437]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Mar  6 17:38:50 august sshd[10437]: debug2: kex_derive_keys
Mar  6 17:38:50 august sshd[10437]: debug2: set_newkeys: mode 1
Mar  6 17:38:50 august sshd[10437]: debug1: SSH2_MSG_NEWKEYS sent
Mar  6 17:38:50 august sshd[10437]: debug1: expecting SSH2_MSG_NEWKEYS
Mar  6 17:38:50 august sshd[10437]: debug2: set_newkeys: mode 0
Mar  6 17:38:50 august sshd[10437]: debug1: SSH2_MSG_NEWKEYS received
Mar  6 17:38:50 august sshd[10437]: debug1: KEX done
Mar  6 17:38:50 august sshd[10437]: debug1: userauth-request for user e8kim service ssh-connection method none
Mar  6 17:38:50 august sshd[10437]: debug1: attempt 0 failures 0
Mar  6 17:38:50 august sshd[10437]: debug2: input_userauth_request: setting up authctxt for e8kim
Mar  6 17:38:50 august sshd[10437]: debug1: PAM: initializing for "e8kim"
Mar  6 17:38:50 august sshd[10437]: debug3: Trying to reverse map address 129.16.159.158.
Mar  6 17:38:50 august sshd[10437]: debug1: PAM: setting PAM_RHOST to "pc158.chs.chalmers.se"
Mar  6 17:38:50 august sshd[10437]: debug1: PAM: setting PAM_TTY to "ssh"
Mar  6 17:38:50 august sshd[10437]: debug2: input_userauth_request: try method none
Mar  6 17:38:50 august sshd[10437]: Failed none for e8kim from 129.16.159.158 port 36112 ssh2
Mar  6 17:38:50 august sshd[10437]: debug1: userauth-request for user e8kim service ssh-connection method keyboard-interactive
Mar  6 17:38:50 august sshd[10437]: debug1: attempt 1 failures 1
Mar  6 17:38:50 august sshd[10437]: debug2: input_userauth_request: try method keyboard-interactive
Mar  6 17:38:50 august sshd[10437]: debug1: keyboard-interactive devs
Mar  6 17:38:50 august sshd[10437]: debug1: auth2_challenge: user=e8kim devs=
Mar  6 17:38:50 august sshd[10437]: debug1: kbdint_alloc: devices 'pam'
Mar  6 17:38:50 august sshd[10437]: debug2: auth2_challenge_start: devices pam
Mar  6 17:38:50 august sshd[10437]: debug2: kbdint_next_device: devices <empty>
Mar  6 17:38:50 august sshd[10437]: debug1: auth2_challenge_start: trying authentication method 'pam'
Mar  6 17:38:50 august sshd[10437]: debug3: ssh_msg_recv entering

Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy