[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Forcing pam to work with openssh publickey and libpam_ldapd



Hi,

I have working pam_ldap authentication. I'm using slapo-nssov and want to use loginStatus attribute which is added to users ldap entry after opening pam session and deleted when its closed. It works only with ssh password authentication. 
I think that there's something skipped in pam when I use public-key instead of password - There is no 'pam_ldap(sshd:auth) nslcd authentication; user=user' record in the log. That's probably the reason why loginStatus attribute isn't added for users ldap entry. See auth.log debug below. Is there any chance to force pam to do sshd:auth when the public-key authentication is used? 

Successful ssh connection by user password:
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): nslcd authentication; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): authentication succeeded
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): authorization succeeded
Apr  8 10:41:57 host sshd[14511]: Accepted password for jindraj from 10.255.0.5 port 60889 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr  8 10:41:57 host sshd[14511]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:57 host sshd[14511]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): session open succeeded; session_id=1428482517
Apr  8 10:41:57 host login[14524]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:account): authorization succeeded
Apr  8 10:41:57 host login[14524]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer

Successfull ssh connection by users public-key
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): authorization succeeded
Apr  8 10:41:32 host sshd[14389]: Accepted publickey for jindraj from 10.255.0.5 port 60888 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:32 host sshd[14389]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): SELinux is not enabled
Apr  8 10:41:32 host login[14420]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:account): authorization succeeded
Apr  8 10:41:32 host login[14420]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer

Here's my auth-client-config profile. It should give you insight how my 
[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files
nss_netgroup=netgroup: nis
nss_hosts=hosts: files cache dns
nss_services=services: files ldap
nss_sudoers=sudoers: files ldap
pam_auth=auth required pam_env.so
         auth sufficient pam_unix.so likeauth nullok
         auth sufficient pam_ldap.so minimum_uid=10000 use_first_pass debug
         auth required pam_deny.so
pam_account=account sufficient pam_unix.so
            account sufficient pam_ldap.so minimum_uid=10000 debug
            account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok
             password sufficient pam_ldap.so minimum_uid=10000 try_first_pass debug
             password required pam_deny.so
pam_session=session required pam_limits.so
            session required pam_unix.so
            session sufficient pam_ldap.so use_authtok debug
            session sufficient pam_ldap.so minimum_uid=10000 debug
            session required pam_mkhomedir.so skel=/etc/skel umask=0022

My environment:
Ubuntu 14.04 LTS
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
libpam_ldapd 0.8.13-3
libnss_ldapd 0.8.13-3
openldap 2.4.31 with nssov

Thanks,
Jakub Jindra

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]