You are not logged in.

#1 2008-09-21 18:35:09

TheAmigo
Member
Registered: 2008-04-08
Posts: 68

SSH authentication via LDAP

There are many pages describing using LDAP for authentication, but none of them are quite like my setup.

I had this working before (RHEL 4.4) but I've been wanting to upgrade the box to Arch for a while.  Yesterday, the drive died so now's my chance to upgrade the OS.

Anyway, the setup that I had working was pretty nice:
  Users all have accounts in the corp LDAP server (over which I have no control)
  I would manually add usernames to /etc/passwd (but not /etc/shadow) and create home dirs
  At login, sshd would use pam which would use ldap to verify passwords

It all worked great, I never had to manage user passwords, they were always verified against ldap.

Unfortunately, the pam config I used in RHEL4 has since been deprecated (cf. pam_stack.so) so I'm now looking for help to get a current pam version configured.

Most guides (e.g. http://wiki.archlinux.org/index.php/HOW … entication ) are for setups where all the account info is in LDAP.  That's not my situation, and since I don't control the LDAP server (or its contents) I can't go that route.  Instead, I need to use LDAP only for password verification.

My /etc/pam.d/sshd is currently:

#%PAM-1.0
auth        required    pam_securetty.so    #Disable remote root
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    pam_ldap.so use_first_pass
auth        required    pam_nologin.so
auth        required    pam_env.so

account        required    pam_unix.so
account        [default=bad success=ok user_unknown=ignore]    pam_ldap.so
account        required    pam_time.so

password    required    pam_unix.so

session        required    pam_unix_session.so
session        required    pam_limits.so

and that's not quite working.

When I try to login via ssh, I find the following logged in /var/log/auth.log:

Sep 21 04:22:47 archbox sshd[23183]: Failed password for amigo from 10.188.49.49 port 57260 ssh2

Yet when I run tcpdump and review the traffic going to the ldap server, I see the auth request sent and I see the reply from the ldap server that says "resultCode: success".

Any pointers for configuring pam and/or getting more detailed logging are greatly appreciated.

--
The Amigo

Offline

Board footer

Powered by FluxBB