| View previous topic :: View next topic |
| Author |
Message |
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
 Posted: Fri May 23, 2008 1:38 pm Post subject: ldap auth gripe/issue - pam_unix errors (solved, i think) |
 |
|
been using ldap auth for a while now, and i have a niggling problem that i want to get off my chest and hopefully maybe i can get a fix for it...
sample login:
| Quote: | May 23 08:50:52 shell sshd[13556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=lalala user=joeschmoe
May 23 08:50:52 shell sshd[13554]: Accepted keyboard-interactive/pam for joeschmoe from lalala port 1062 ssh2
May 23 08:50:52 shell sshd[13559]: pam_unix(sshd:session): session opened for user joeschmoe by (uid=0)
|
any login logs a failure, then a success... which makes grepping logs a nightmare, breaks logwatch and possibly other log parsing mechanisms... is there a way to make ldap or pam work in such a way that a error gets logged properly?
thanks in advance
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017
Last edited by bunder on Sat May 24, 2008 10:57 pm; edited 1 time in total |
|
| Back to top |
|
 |
aceFruchtsaft
Guru
Joined: 16 May 2004
Posts: 438
Location: Vienna, Austria
|
| Posted: Fri May 23, 2008 11:36 pm Post subject: |
|
|
1) You can reorder the entries in /etc/pam.d/system-auth so pam_ldap is first and pam_unix second, i.e.:
| Code: |
auth required pam_env.so
auth sufficient pam_ldap.so try_first_pass
auth sufficient pam_unix.so use_first_pass likeauth nullok shadow
auth required pam_deny.so
|
This way you can avoid errors when logging in with a user account which is not present in /etc/passwd. Also, pam_ldap seems to have more options to suppress warnings for users which are not in the LDAP directory (ignore_unknown_user, no_warn), but I've never tested those.
2) You can configure sshd to use PKI-based authentication instead of keyboard/interactive, which also avoids the pam_unix errors.
HTH |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
| Posted: Sat May 24, 2008 11:07 am Post subject: |
|
|
i've tried reordering both /etc/nsswitch.conf and /etc/pam.d/system-auth to do exactly what you said, and i either get locked out of the box or i get the same messages... i'll look into it again when i have some time off work. thanks for replying. 
cheers
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
aceFruchtsaft
Guru
Joined: 16 May 2004
Posts: 438
Location: Vienna, Austria
|
| Posted: Sat May 24, 2008 4:56 pm Post subject: |
|
|
Weird. I've tested the setup I suggested on my server with both traditional and LDAP users as well as PKI and password ssh logins and it works (without the error messages).
BTW, /etc/nsswitch.conf does not affect PAM at all but rather specifies from where various information is retrieved. You can have your system fetch user data from LDAP via nscd for apps like /bin/ls without even enabling pam_ldap (which may be useful in a Samba PDC + LDAP setting). |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
| Posted: Sat May 24, 2008 7:43 pm Post subject: |
|
|
maybe its the options then...
| Code: | #%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account sufficient pam_ldap.so
account required pam_unix.so
account sufficient pam_localuser.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel umask=0066
session required pam_unix.so
session optional pam_ldap.so
|
i don't really know what i need and what i don't... i just followed the ldap auth guide a couple years ago and its been working ever since. 
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
aceFruchtsaft
Guru
Joined: 16 May 2004
Posts: 438
Location: Vienna, Austria
|
| Posted: Sat May 24, 2008 8:26 pm Post subject: |
|
|
Mine looks like this
| Code: |
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_ldap.so try_first_pass
auth sufficient pam_unix.so use_first_pass likeauth nullok shadow
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_ldap.so use_first_pass
password required pam_cracklib.so retry=3 difok=2 minlen=7 dcredit=2 ocredit=2
password sufficient pam_unix.so try_first_pass nullok use_authtok shadow md5
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional pam_ldap.so
|
I don't know how your additional account stack entries affect the login process as it depends on /etc/security/access.conf.
Did you notice that the second line in the auth stack (either pam_unix.so or pam_ldap.so) has to contain try_first_pass (instead of use_first_pass!), otherwise you'll never be prompted for a password? That is, just switching the two lines will not be sufficient. |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
| Posted: Sat May 24, 2008 10:38 pm Post subject: |
|
|
i like that one a lot better... thanks 
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
|
Networking & Security
