RE: Authentication problems with ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I attempted to use the same config as listed below and I am still running into issues.  I do not see anything in /var/log/secure or /var/log/messages.  Here is the auth. part of my ssh debug log:

 

[snippet ]

 

debug1: PAM: initializing for "lyork"

debug3: Normalising mapped IPv4 in IPv6 address

debug3: Trying to reverse map address 127.0.0.1.

debug1: PAM: setting PAM_RHOST to "cent-os-2"

debug1: PAM: setting PAM_TTY to "ssh"

debug2: monitor_read: 46 used once, disabling now

debug3: mm_request_receive entering

debug3: monitor_read: checking request 3

debug3: mm_answer_authserv: service=ssh-connection, style=

debug2: monitor_read: 3 used once, disabling now

debug3: mm_request_receive entering

debug3: monitor_read: checking request 4

debug3: mm_answer_authrole: role=

debug2: monitor_read: 4 used once, disabling now

debug3: mm_request_receive entering

debug1: userauth-request for user lyork service ssh-connection method publickey

debug1: attempt 1 failures 1

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: mm_key_allowed entering

debug3: mm_request_send entering: type 21

debug3: monitor_read: checking request 21

debug3: mm_answer_keyallowed entering

debug3: mm_answer_keyallowed: key_from_blob: 0x80983b8

debug1: temporarily_use_uid: 3000/3000 (e=0/0)

debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED

debug3: mm_request_receive_expect entering: type 22

debug3: mm_request_receive entering

debug1: trying public key file /home/lyork/.ssh/authorized_keys

debug1: restore_uid: 0/0

debug1: temporarily_use_uid: 3000/3000 (e=0/0)

debug1: trying public key file /home/lyork/.ssh/authorized_keys2

debug1: restore_uid: 0/0

debug3: Normalising mapped IPv4 in IPv6 address

Failed publickey for lyork from 127.0.0.1 port 1199 ssh2

debug3: mm_answer_keyallowed: key 0x80983b8 is disallowed

debug3: mm_request_send entering: type 22

debug3: mm_request_receive entering

debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa

debug1: userauth-request for user lyork service ssh-connection method password

debug1: attempt 2 failures 2

debug2: input_userauth_request: try method password

debug3: mm_auth_password entering

debug3: mm_request_send entering: type 11

debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD

debug3: mm_request_receive_expect entering: type 12

debug3: mm_request_receive entering

debug3: monitor_read: checking request 11

debug3: PAM: sshpam_passwd_conv called with 1 messages

debug3: PAM: sshpam_passwd_conv called with 1 messages

debug1: PAM: password authentication failed for lyork: Authentication failure

debug3: mm_answer_authpassword: sending result 0

debug3: mm_request_send entering: type 12

Failed password for lyork from 127.0.0.1 port 1199 ssh2

[end snippet]

 

From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Whittier, Kevin CTR 63134
Sent: Monday, September 22, 2008 2:22 PM
To: Pluggable Authentication Modules
Subject: RE: Authentication problems with ldap

 

This works for my environment:

 

auth       required     pam_env.so
auth       sufficient   pam_unix.so audit
auth       sufficient   pam_ldap.so use_first_pass

# pam_ldap acct verifies host in ldap user's ACL and returns IGNORE if non-ldap.
# pam_unix acct succeeds w/o checking ACL if put 1st as pam_ldap auth would
#          have already retrieved user's passwd and shadow info.
account    required     pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account    required     pam_tally.so deny=3 no_magic_root reset
account    sufficient   pam_unix.so audit

password   requisite    pam_cracklib.so retry=3 minlen=14 lcredit=-2 ocredit=-2 ucredit=-2 dcredit=-2
password   sufficient   pam_ldap.so use_authtok
password   sufficient   pam_unix.so use_authtok shadow md5 audit

# pam_ldap session, pam_sm_open_session(), closes any remaining ldap connection.
session    required     pam_limits.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0022
session    required     pam_unix.so audit
session    required     pam_ldap.so

Kevin

From: Lynn York
Sent: Mon 9/22/2008 11:02 AM
To: Pluggable Authentication Modules
Subject: RE: Authentication problems with ldap

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux