Forcing pam to work with openssh publickey and libpam_ldapd
Jakub Jindra
maillist at jakubjindra.eu
Wed Apr 8 10:53:32 UTC 2015
Hi,
I have working pam_ldap authentication. I'm using slapo-nssov and want to
use loginStatus attribute which is added to users ldap entry after opening
pam session and deleted when its closed. It works only with ssh password
authentication.
I think that there's something skipped in pam when I use public-key instead
of password - There is no 'pam_ldap(sshd:auth) nslcd authentication;
user=user' record in the log. That's probably the reason why loginStatus
attribute isn't added for users ldap entry. See auth.log debug below. Is
there any chance to force pam to do sshd:auth when the public-key
authentication is used?
Successful ssh connection by user password:
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): nslcd
authentication; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): authentication
succeeded
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): nslcd
authorisation; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): authorization
succeeded
Apr 8 10:41:57 host sshd[14511]: Accepted password for jindraj from
10.255.0.5 port 60889 ssh2: RSA
5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr 8 10:41:57 host sshd[14511]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:57 host sshd[14511]: pam_unix(sshd:session): session opened
for user jindraj by (uid=0)
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): nslcd session
open; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): session open
succeeded; session_id=1428482517
Apr 8 10:41:57 host login[14524]: pam_ldap(login:account): nslcd
authorisation; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:account): authorization
succeeded
Apr 8 10:41:57 host login[14524]: pam_unix(login:session): session opened
for user jindraj by (uid=0)
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session
open; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): error reading
from nslcd: Connection reset by peer
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session
open; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): error reading
from nslcd: Connection reset by peer
Successfull ssh connection by users public-key
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): nslcd
authorisation; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): authorization
succeeded
Apr 8 10:41:32 host sshd[14389]: Accepted publickey for jindraj from
10.255.0.5 port 60888 ssh2: RSA
5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:32 host sshd[14389]: pam_unix(sshd:session): session opened
for user jindraj by (uid=0)
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session
open; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading
from nslcd: Connection reset by peer
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session
open; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading
from nslcd: Connection reset by peer
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): SELinux is not
enabled
Apr 8 10:41:32 host login[14420]: pam_ldap(login:account): nslcd
authorisation; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:account): authorization
succeeded
Apr 8 10:41:32 host login[14420]: pam_unix(login:session): session opened
for user jindraj by (uid=0)
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session
open; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): error reading
from nslcd: Connection reset by peer
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session
open; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): error reading
from nslcd: Connection reset by peer
Here's my auth-client-config profile. It should give you insight how my
[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files
nss_netgroup=netgroup: nis
nss_hosts=hosts: files cache dns
nss_services=services: files ldap
nss_sudoers=sudoers: files ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so minimum_uid=10000 use_first_pass debug
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so minimum_uid=10000 debug
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so minimum_uid=10000
try_first_pass debug
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_unix.so
session sufficient pam_ldap.so use_authtok debug
session sufficient pam_ldap.so minimum_uid=10000 debug
session required pam_mkhomedir.so skel=/etc/skel umask=0022
My environment:
Ubuntu 14.04 LTS
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
libpam_ldapd 0.8.13-3
libnss_ldapd 0.8.13-3
openldap 2.4.31 with nssov
Thanks,
Jakub Jindra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20150408/72d0853e/attachment.htm>
More information about the Pam-list
mailing list