| View previous topic :: View next topic |
| Author |
Message |
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
 Posted: Sat Apr 22, 2006 10:19 pm Post subject: [RESOLVED] LDAP PAM(Maybe) SSH |
 |
|
Ok here is what I want to do
I want to allow a certain group of people in LDAP(group call SSH) to be able to ssh into the machine.
Can I use Pam with LDAP to do this. Or do I have to compile SSH with the LDAP use flag.
If I have to do the later how do I config it. I tried this with my SSHD_CONFIG file
| Code: |
# here are the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
UseLPK yes
#LpkLdapConf /etc/ldap.conf
LpkServers ldaps://127.0.0.1:636 ldap://127.0.0.1
#LpkUserDN ou=people,dc=example,dc=com # MS this has to be a person
LpkGroupDN ou=ssh,ou=people,dc=example,dc=com
#LpkBindDN cn=admin,dc=example,dc=com
#LpkBindPw dontthinkineedtobindthisway
#LpkForceTLS no
|
I also don't know where to look for debug output, This is the only one i found to change(/var/log/auth.log)
After logging in with mary it says this
| Code: |
Apr 22 22:26:42 MSServer sshd(pam_unix)[25146]: check pass; user unknown
Apr 22 22:26:42 MSServer sshd(pam_unix)[25146]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 22 22:26:42 MSServer sshd[1893]: error: PAM: Authentication service cannot retrieve authentication info. for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net
|
Just to let you know LDAP is working and I have even have pam working with ldap. I just dont' want ever user in ldap to be able to log in. Is there a way just for a group called ssh to log in?
Any help would be great. Thanks
Last edited by M1Sports20 on Mon Apr 24, 2006 6:26 am; edited 1 time in total |
|
| Back to top |
|
 |
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Sun Apr 23, 2006 6:05 am Post subject: |
|
|
bump
i think it might have to have something to do with the ldapPublicKey objectclass
i don't see this scheme. Did the maintainer forget to include this with the lpk patch for openssh |
|
| Back to top |
|
|
wellwhoopdedooo
n00b
Joined: 04 Mar 2005
Posts: 69
|
| Posted: Sun Apr 23, 2006 7:08 am Post subject: |
|
|
I don't think you need to compile in LDAP support.
Make your /etc/pam.d/sshd look similar to this:
| Code: | #%PAM-1.0
auth include system-auth
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_wheel.so group=ssh
account include system-auth
password include system-auth
session include system-auth |
The fourth line (sixth if you count the #%PAM-1.0 and blank) is the one to pay attention to. I haven't tested this at all, but I think that'll work. |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Sun Apr 23, 2006 3:57 pm Post subject: |
|
|
Yes that does work and I have it working through SSH woring through pam with ldap.
But I want only a certian group of users in ldap to be able to ssh into the box. Is this possible this way.
I figured if I compiled LDAP in SSH I could use the LPK patch and allow a certain group. But I haven't been able to get this to work.
If what im trying to do is possible with pam I would do that too.
Thanks for answering |
|
| Back to top |
|
|
wellwhoopdedooo
n00b
Joined: 04 Mar 2005
Posts: 69
|
| Posted: Sun Apr 23, 2006 4:00 pm Post subject: |
|
|
Yes, that's what the the 4th line is:
| Code: | | auth required pam_wheel.so group=ssh |
It requires that the user belongs to the specified group for authorization to continue. Make sure there's no "auth sufficient" above it, and it should work. |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Sun Apr 23, 2006 4:07 pm Post subject: |
|
|
O i get it, the group=ssh part.
I'll try it soon and let you know how it works |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Sun Apr 23, 2006 4:30 pm Post subject: |
|
|
Well it didn't work, It still allows all LDAP users to ssh
heres my pam.d config
/etc/pam.d/system-auth
| Code: |
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
|
/etc/pamd.d/sshd
| Code: |
auth include system-auth
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_wheel.so group=ssh
account include system-auth
password include system-auth
session include system-auth
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077
|
|
|
| Back to top |
|
|
wellwhoopdedooo
n00b
Joined: 04 Mar 2005
Posts: 69
|
| Posted: Sun Apr 23, 2006 6:05 pm Post subject: |
|
|
Ohhh, right... when PAM hits a succesful "sufficent" rule, it stops procssing and allows auth. Hmm... maybe you could change your sshd to this:
| Code: | auth required pam_shells.so
auth required pam_nologin.so
auth required pam_wheel.so group=ssh
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077 |
See how the "auth include system-auth" is at the bottom?
BTW, I just tested it on my system, works fine. Actually, your question pointed out a possible security hole on my side, so I should be thanking you. So, thank you  |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Sun Apr 23, 2006 7:09 pm Post subject: |
|
|
hmm still doesn't work for me. Here is my new system-auth and sshd pam files. I have also included a log file
system-auth
| Code: | # this is to lockout password users with many password attempt, except root
auth required pam_tally.so onerr=fail no_magic_root
# set env vars
auth required pam_env.so
# can add nodelay the following option to stop that 1 sec delay
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
# this is to lockout password users with 5 password attempt, except root
account required pam_tally.so deny=5 reset no_magic_root
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok smd5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
# create home dirs if they don't exist
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
|
sshd
| Code: |
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_wheel.so group=ssh
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
|
auth.log
| Code: |
Apr 23 19:00:56 MSServer sshd(pam_unix)[12626]: check pass; user unknown
Apr 23 19:00:56 MSServer sshd(pam_unix)[12626]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 23 19:00:58 MSServer sshd[29019]: error: PAM: Error in service module for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 23 19:01:03 MSServer sshd(pam_unix)[19727]: check pass; user unknown
Apr 23 19:01:03 MSServer sshd(pam_unix)[19727]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 23 19:01:05 MSServer sshd[29019]: error: PAM: Error in service module for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 23 19:02:45 MSServer sshd(pam_unix)[32753]: check pass; user unknown
Apr 23 19:02:45 MSServer sshd(pam_unix)[32753]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 23 19:02:47 MSServer sshd[9324]: error: PAM: Error in service module for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 23 19:04:29 MSServer sshd[9324]: fatal: Timeout before authentication for 69.210.97.133
|
id mary
| Code: |
uid=10000(mary) gid=100(users) groups=100(users),10000(ssh)
|
Thanks for all your help. I am new with PAM. With your help and additional reading I have learned so much |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Sun Apr 23, 2006 7:39 pm Post subject: |
|
|
here is the output if I put debug on the line with:
auth required pam_wheel.so group=ssh debug
| Code: |
Apr 23 19:37:51 MSServer PAM-Wheel[794]: who is running me ?!
Apr 23 19:38:00 MSServer sshd(pam_unix)[794]: check pass; user unknown
Apr 23 19:38:00 MSServer sshd(pam_unix)[794]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 23 19:38:03 MSServer sshd[8099]: error: PAM: Error in service module for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net
Apr 23 19:38:03 MSServer PAM-Wheel[16997]: who is running me ?!
|
|
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Mon Apr 24, 2006 1:33 am Post subject: |
|
|
bump
doesn't anyone know why this doesn't work
I have seen other people have done this with redhat |
|
| Back to top |
|
|
M1Sports20
Apprentice
Joined: 25 Mar 2004
Posts: 194
Location: Chicago, IL
|
| Posted: Mon Apr 24, 2006 6:30 am Post subject: |
|
|
OK so If anyone wanted to know I found a work around.
emerge pam_require # as of today it is in the unstable branch
then add this line to ssh like the following to allow only the ssh group to ssh into a computer
account required pam_require.so @ssh
if you want to allow just a user type this
account required pam_require.so root
so my final configs look like the following
/etc/pam.d/ssh
| Code: |
#%PAM-1.0
auth required pam_shells.so
auth required pam_nologin.so
#auth required pam_wheel.so group=ssh debug use_uid
auth include system-auth
account required pam_require.so @ssh
account include system-auth
password include system-auth
session include system-auth
|
/etc/pam.d/system-auth ( a lot of extra stuff for other purposes), the orignal should work if using just flat files
| Code: |
#%PAM-1.0
# this is to lockout password users with many password attempt, except root
auth required pam_tally.so onerr=fail no_magic_root
# set env vars
auth required pam_env.so
# can add nodelay the following option to stop that 1 sec delay
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
# this is to lockout password users with 5 password attempt, except root
account required pam_tally.so deny=5 reset no_magic_root
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok smd5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
# create home dirs if they don't exist
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
|
|
|
| Back to top |
|
|
|
Networking & Security
