Hello, I am currently using OpenLDAP for
authentication and seems I’m having some troubles explaining PAM what it should
be doing. I get this error when trying to login with an ldap user trough ssh: Apr 8
16:38:16 rh01 sshd[11045]: debug1: userauth-request for user myuser service
ssh-connection method password Apr 8
16:38:16 rh01 sshd[11045]: debug1: attempt 1 failures 1 Apr 8 16:38:17
rh01 sshd[11044]: pam_unix(sshd:auth): check pass; user unknown Apr 8
16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=rh01.localdomain Apr 8
16:38:17 rh01 sshd[11044]: pam_succeed_if(sshd:auth): error retrieving
information about user myuser Apr 8
16:38:19 rh01 sshd[11044]: debug1: PAM: password authentication failed for an
illegal user: User not known to the underlying authentication module Apr 8
16:38:19 rh01 sshd[11044]: Failed password for invalid user myuser from
127.0.0.1 port 42064 ssh2 So it seems he just doesn’t recognize the
user (stored in LDAP directory). I had this working before but then I made some
changes to try to make the pam files more readable and now they never got back
to working … :) Here is my system-auth file in /etc/pam.d #%PAM-1.0 # This file is
auto-generated. # User changes
will be destroyed the next time authconfig is run. auth
required pam_env.so auth
sufficient pam_unix.so nullok try_first_pass auth
requisite pam_succeed_if.so uid >= 500 quiet auth
sufficient /lib/security/pam_ldap.so use_first_pass auth
required pam_deny.so account
required pam_unix.so broken_shadow account
sufficient pam_localuser.so account
sufficient pam_succeed_if.so uid < 500 quiet account
[default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so account
required pam_permit.so password
requisite pam_cracklib.so try_first_pass retry=3 password
sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok password
sufficient /lib/security/pam_ldap.so use_authtok password
required pam_deny.so session
optional pam_keyinit.so revoke session
required pam_limits.so session
[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session
required pam_unix.so session
optional /lib/security/pam_ldap.so And here is sshd file in the same directory #%PAM-1.0 auth
sufficient /lib/security/pam_ldap.so auth
include system-auth account
sufficient /lib/security/pam_ldap.so account
required pam_nologin.so account
include system-auth password
required /lib/security/pam_ldap.so password
include system-auth session
sufficient /lib/security/pam_ldap.so password
sufficient pam_unix.so ssha shadow nullok try_first_pass
use_authtok session
optional pam_keyinit.so force revoke session
include system-auth session
required pam_loginuid.so As part of the “file clean-up” I was only
using the “include” directives but since it stopped working I reverted back to
explicitly telling what module to use… still doesn’t work though. Can anyone
see why SSH doesn’t even try to authenticate against the OpenLDAP directory? Thank you, Nuno |
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list