Authentication problems with ldap

Lynn York lyork at inetu.net
Mon Sep 22 19:22:15 UTC 2008 

I attempted to use the same config as listed below and I am still running
into issues.  I do not see anything in /var/log/secure or /var/log/messages.
Here is the auth. part of my ssh debug log:

 

[snippet ]

 

debug1: PAM: initializing for "lyork"

debug3: Normalising mapped IPv4 in IPv6 address

debug3: Trying to reverse map address 127.0.0.1.

debug1: PAM: setting PAM_RHOST to "cent-os-2"

debug1: PAM: setting PAM_TTY to "ssh"

debug2: monitor_read: 46 used once, disabling now

debug3: mm_request_receive entering

debug3: monitor_read: checking request 3

debug3: mm_answer_authserv: service=ssh-connection, style=

debug2: monitor_read: 3 used once, disabling now

debug3: mm_request_receive entering

debug3: monitor_read: checking request 4

debug3: mm_answer_authrole: role=

debug2: monitor_read: 4 used once, disabling now

debug3: mm_request_receive entering

debug1: userauth-request for user lyork service ssh-connection method
publickey

debug1: attempt 1 failures 1

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: mm_key_allowed entering

debug3: mm_request_send entering: type 21

debug3: monitor_read: checking request 21

debug3: mm_answer_keyallowed entering

debug3: mm_answer_keyallowed: key_from_blob: 0x80983b8

debug1: temporarily_use_uid: 3000/3000 (e=0/0)

debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED

debug3: mm_request_receive_expect entering: type 22

debug3: mm_request_receive entering

debug1: trying public key file /home/lyork/.ssh/authorized_keys

debug1: restore_uid: 0/0

debug1: temporarily_use_uid: 3000/3000 (e=0/0)

debug1: trying public key file /home/lyork/.ssh/authorized_keys2

debug1: restore_uid: 0/0

debug3: Normalising mapped IPv4 in IPv6 address

Failed publickey for lyork from 127.0.0.1 port 1199 ssh2

debug3: mm_answer_keyallowed: key 0x80983b8 is disallowed

debug3: mm_request_send entering: type 22

debug3: mm_request_receive entering

debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa

debug1: userauth-request for user lyork service ssh-connection method
password

debug1: attempt 2 failures 2

debug2: input_userauth_request: try method password

debug3: mm_auth_password entering

debug3: mm_request_send entering: type 11

debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD

debug3: mm_request_receive_expect entering: type 12

debug3: mm_request_receive entering

debug3: monitor_read: checking request 11

debug3: PAM: sshpam_passwd_conv called with 1 messages

debug3: PAM: sshpam_passwd_conv called with 1 messages

debug1: PAM: password authentication failed for lyork: Authentication
failure

debug3: mm_answer_authpassword: sending result 0

debug3: mm_request_send entering: type 12

Failed password for lyork from 127.0.0.1 port 1199 ssh2

[end snippet]

 

From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] On
Behalf Of Whittier, Kevin CTR 63134
Sent: Monday, September 22, 2008 2:22 PM
To: Pluggable Authentication Modules
Subject: RE: Authentication problems with ldap

 

This works for my environment:

 

auth       required     pam_env.so
auth       sufficient   pam_unix.so audit
auth       sufficient   pam_ldap.so use_first_pass

# pam_ldap acct verifies host in ldap user's ACL and returns IGNORE if
non-ldap.
# pam_unix acct succeeds w/o checking ACL if put 1st as pam_ldap auth would
#          have already retrieved user's passwd and shadow info.
account    required     pam_ldap.so ignore_unknown_user
ignore_authinfo_unavail
account    required     pam_tally.so deny=3 no_magic_root reset
account    sufficient   pam_unix.so audit

password   requisite    pam_cracklib.so retry=3 minlen=14 lcredit=-2
ocredit=-2 ucredit=-2 dcredit=-2
password   sufficient   pam_ldap.so use_authtok
password   sufficient   pam_unix.so use_authtok shadow md5 audit

# pam_ldap session, pam_sm_open_session(), closes any remaining ldap
connection.
session    required     pam_limits.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0022
session    required     pam_unix.so audit
session    required     pam_ldap.so

Kevin

  _____  

From: Lynn York
Sent: Mon 9/22/2008 11:02 AM
To: Pluggable Authentication Modules
Subject: RE: Authentication problems with ldap

_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080922/104421ad/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3442 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080922/104421ad/attachment.bin>

More information about the Pam-list mailing list