<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=PT link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span lang=EN-US>Hello,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I am currently using OpenLDAP for
authentication and seems I’m having some troubles explaining PAM what it should
be doing. I get this error when trying to login with an ldap user trough ssh:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Apr 8
16:38:16 rh01 sshd[11045]: debug1: userauth-request for user myuser service
ssh-connection method password<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Apr 8
16:38:16 rh01 sshd[11045]: debug1: attempt 1 failures 1<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Apr 8 16:38:17
rh01 sshd[11044]: pam_unix(sshd:auth): check pass; user unknown<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Apr 8
16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=rh01.localdomain<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Apr 8
16:38:17 rh01 sshd[11044]: pam_succeed_if(sshd:auth): error retrieving
information about user myuser<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Apr 8
16:38:19 rh01 sshd[11044]: debug1: PAM: password authentication failed for an
illegal user: User not known to the underlying authentication module<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US
style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Apr 8
16:38:19 rh01 sshd[11044]: Failed password for invalid user myuser from
127.0.0.1 port 42064 ssh2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>So it seems he just doesn’t recognize the
user (stored in LDAP directory). I had this working before but then I made some
changes to try to make the pam files more readable and now they never got back
to working … :)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Here is my system-auth file in /etc/pam.d<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>#%PAM-1.0<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US># This file is
auto-generated.<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US># User changes
will be destroyed the next time authconfig is run.<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>auth
required pam_env.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>auth
sufficient pam_unix.so nullok try_first_pass<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>auth
requisite pam_succeed_if.so uid >= 500 quiet<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>auth
sufficient /lib/security/pam_ldap.so use_first_pass<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>auth
required pam_deny.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>account
required pam_unix.so broken_shadow<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>account
sufficient pam_localuser.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>account
sufficient pam_succeed_if.so uid < 500 quiet<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>account
[default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>account
required pam_permit.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>password
requisite pam_cracklib.so try_first_pass retry=3<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>password
sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>password
sufficient /lib/security/pam_ldap.so use_authtok<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>password
required pam_deny.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
optional pam_keyinit.so revoke<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
required pam_limits.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
required pam_unix.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
optional /lib/security/pam_ldap.so<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>And here is sshd file in the same directory<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>#%PAM-1.0<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>auth
sufficient /lib/security/pam_ldap.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>auth
include system-auth<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>account
sufficient /lib/security/pam_ldap.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>account
required pam_nologin.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>account
include system-auth<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>password
required /lib/security/pam_ldap.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>password
include system-auth<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
sufficient /lib/security/pam_ldap.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>password
sufficient pam_unix.so ssha shadow nullok try_first_pass
use_authtok<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
optional pam_keyinit.so force revoke<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
include system-auth<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US>session
required pam_loginuid.so<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>As part of the “file clean-up” I was only
using the “include” directives but since it stopped working I reverted back to
explicitly telling what module to use… still doesn’t work though. Can anyone
see why SSH doesn’t even try to authenticate against the OpenLDAP directory? <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Thank you,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Nuno<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
</div>
</body>
</html>