sshd access for users in ldap - "Access denied for this service"

ben thielsen btb at bitrate.net
Mon Mar 8 03:40:45 UTC 2010


On Mar 07, 2010, at 17.08, Steve Langasek wrote:
> 
> This implies that you've manually copied the contents of /etc/pam.d/common-*
> into /etc/pam.d/sshd, instead of using the includes as-is.  Is there a
> reason for this?

yes - i've got a learning curve ahead of me and intended to use sshd to do my experimenting.  i didn't want to muck around in the includes since it would affect more than just ssh, but wanted to retain the structure/style being used while i'm learning.  once i've become a bit more comfortable with pam and have established a working config that i understand, i'll revert back to using the includes.

> Note that by omitting pam_unix here, sshd won't honor password expiry set
> for any local accounts.

no, i wasn't aware of that - thank you.  i don't necessarily intend to permanently use pam_localuser here instead of pam_unix, but had substituted it as an experiment.

> Have you tried adding 'debug' to the pam_ldap line here?  Was there any more
> log output when the 'debug' option was passed to pam_localuser (which you
> seem to have added, then commented out)?

unfortunately, it appears that the pam_ldap module doesn't support a debug option.  the man page says that it is ignored, but i tried it anyway (which confirmed this).
when using debug with pam_localuser, i do see additional output - it appears to iterate through each entry in /etc/passwd, looking for a match:

<snip>
Mar  7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "nslcd:x:117:127:nss-ldapd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false#012"
Mar  7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "backuppc:x:119:129:BackupPC,,,:/var/lib/backuppc:/bin/sh#012"
Mar  7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "haldaemon:x:120:130:Hardware abstraction layer,,,:/var/run/hald:/bin/false#012"
Mar  7 21:45:34 under sshd[20033]: Failed password for flash from 192.168.1.123 port 56360 ssh2

> The output and PAM config suggest the problem is most likely with the
> pam_ldap module, but so far there's insufficient information to say what the
> problem is.

after doing a bit more experimenting, i've found that if i use both pam_unix and pam_ldap:

account         [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account         [success=1 default=ignore]      pam_ldap.so

i'm able to log in, but with a caveat - it seems to ignore my ldap config and allows access regardless of ldap group membership. additionally, if i use only pam_ldap, i'm not able to log in and am given the same "Access denied for this service" message.

giving this a bit more consideration, it seemed it might make sense to just focus on getting ldap working all by itself and excluding the traditional unix components for the time being, to help isolate the pieces involved.  to that end, i've tried using only pam_ldap for auth and account:

>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' sshd 
auth		required			pam_env.so # [1]
auth		required			pam_env.so envfile=/etc/default/locale
auth		[success=1 default=ignore]      pam_ldap.so #use_first_pass
auth		requisite                       pam_deny.so
auth		required                        pam_permit.so
account		required			pam_nologin.so
account		[success=1 default=ignore]      pam_ldap.so
account		requisite                       pam_deny.so
account		required                        pam_permit.so
session		[default=1]                     pam_permit.so
session		requisite                       pam_deny.so
session		required                        pam_permit.so
session		required                        pam_unix.so
session		optional                        pam_ldap.so no_warn
session		optional			pam_motd.so # [1]
session		optional			pam_mail.so standard noenv # [1]
session		required			pam_limits.so
password        required                        pam_passwdqc.so min=disabled,16,12,7,6 max=256
password        [success=2 default=ignore]      pam_unix.so obscure md5
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

the results and assorted output remain the same though.  i did notice these two lines in the sshd debug output:

debug3: mm_auth_password: user authenticated
...
debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)

what can i do to see more regarding the second message?  it seems like the tree worth barking up.

thanks
-ben




More information about the Pam-list mailing list