Authentication problems with ldap
Lynn York
lyork at inetu.net
Mon Sep 22 19:22:15 UTC 2008
I attempted to use the same config as listed below and I am still running
into issues. I do not see anything in /var/log/secure or /var/log/messages.
Here is the auth. part of my ssh debug log:
[snippet ]
debug1: PAM: initializing for "lyork"
debug3: Normalising mapped IPv4 in IPv6 address
debug3: Trying to reverse map address 127.0.0.1.
debug1: PAM: setting PAM_RHOST to "cent-os-2"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 46 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authrole: role=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user lyork service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 21
debug3: monitor_read: checking request 21
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x80983b8
debug1: temporarily_use_uid: 3000/3000 (e=0/0)
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 22
debug3: mm_request_receive entering
debug1: trying public key file /home/lyork/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 3000/3000 (e=0/0)
debug1: trying public key file /home/lyork/.ssh/authorized_keys2
debug1: restore_uid: 0/0
debug3: Normalising mapped IPv4 in IPv6 address
Failed publickey for lyork from 127.0.0.1 port 1199 ssh2
debug3: mm_answer_keyallowed: key 0x80983b8 is disallowed
debug3: mm_request_send entering: type 22
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug1: userauth-request for user lyork service ssh-connection method
password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 12
debug3: mm_request_receive entering
debug3: monitor_read: checking request 11
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication failed for lyork: Authentication
failure
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 12
Failed password for lyork from 127.0.0.1 port 1199 ssh2
[end snippet]
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] On
Behalf Of Whittier, Kevin CTR 63134
Sent: Monday, September 22, 2008 2:22 PM
To: Pluggable Authentication Modules
Subject: RE: Authentication problems with ldap
This works for my environment:
auth required pam_env.so
auth sufficient pam_unix.so audit
auth sufficient pam_ldap.so use_first_pass
# pam_ldap acct verifies host in ldap user's ACL and returns IGNORE if
non-ldap.
# pam_unix acct succeeds w/o checking ACL if put 1st as pam_ldap auth would
# have already retrieved user's passwd and shadow info.
account required pam_ldap.so ignore_unknown_user
ignore_authinfo_unavail
account required pam_tally.so deny=3 no_magic_root reset
account sufficient pam_unix.so audit
password requisite pam_cracklib.so retry=3 minlen=14 lcredit=-2
ocredit=-2 ucredit=-2 dcredit=-2
password sufficient pam_ldap.so use_authtok
password sufficient pam_unix.so use_authtok shadow md5 audit
# pam_ldap session, pam_sm_open_session(), closes any remaining ldap
connection.
session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_unix.so audit
session required pam_ldap.so
Kevin
_____
From: Lynn York
Sent: Mon 9/22/2008 11:02 AM
To: Pluggable Authentication Modules
Subject: RE: Authentication problems with ldap
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080922/104421ad/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3442 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080922/104421ad/attachment.bin>
More information about the Pam-list
mailing list