Re: sshd access for users in ldap - "Access denied for this service"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Mar 07, 2010, at 17.08, Steve Langasek wrote:
> This implies that you've manually copied the contents of /etc/pam.d/common-*
> into /etc/pam.d/sshd, instead of using the includes as-is.  Is there a
> reason for this?

yes - i've got a learning curve ahead of me and intended to use sshd to do my experimenting.  i didn't want to muck around in the includes since it would affect more than just ssh, but wanted to retain the structure/style being used while i'm learning.  once i've become a bit more comfortable with pam and have established a working config that i understand, i'll revert back to using the includes.

> Note that by omitting pam_unix here, sshd won't honor password expiry set
> for any local accounts.

no, i wasn't aware of that - thank you.  i don't necessarily intend to permanently use pam_localuser here instead of pam_unix, but had substituted it as an experiment.

> Have you tried adding 'debug' to the pam_ldap line here?  Was there any more
> log output when the 'debug' option was passed to pam_localuser (which you
> seem to have added, then commented out)?

unfortunately, it appears that the pam_ldap module doesn't support a debug option.  the man page says that it is ignored, but i tried it anyway (which confirmed this).
when using debug with pam_localuser, i do see additional output - it appears to iterate through each entry in /etc/passwd, looking for a match:

Mar  7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "nslcd:x:117:127:nss-ldapd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false#012"
Mar  7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "backuppc:x:119:129:BackupPC,,,:/var/lib/backuppc:/bin/sh#012"
Mar  7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "haldaemon:x:120:130:Hardware abstraction layer,,,:/var/run/hald:/bin/false#012"
Mar  7 21:45:34 under sshd[20033]: Failed password for flash from port 56360 ssh2

> The output and PAM config suggest the problem is most likely with the
> pam_ldap module, but so far there's insufficient information to say what the
> problem is.

after doing a bit more experimenting, i've found that if i use both pam_unix and pam_ldap:

account         [success=2 new_authtok_reqd=done default=ignore]
account         [success=1 default=ignore]

i'm able to log in, but with a caveat - it seems to ignore my ldap config and allows access regardless of ldap group membership. additionally, if i use only pam_ldap, i'm not able to log in and am given the same "Access denied for this service" message.

giving this a bit more consideration, it seemed it might make sense to just focus on getting ldap working all by itself and excluding the traditional unix components for the time being, to help isolate the pieces involved.  to that end, i've tried using only pam_ldap for auth and account:

>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' sshd 
auth		required # [1]
auth		required envfile=/etc/default/locale
auth		[success=1 default=ignore] #use_first_pass
auth		requisite             
auth		required              
account		required
account		[success=1 default=ignore]
account		requisite             
account		required              
session		[default=1]           
session		requisite             
session		required              
session		required              
session		optional               no_warn
session		optional # [1]
session		optional standard noenv # [1]
session		required
password        required               min=disabled,16,12,7,6 max=256
password        [success=2 default=ignore] obscure md5
password        [success=1 user_unknown=ignore default=die] use_authtok try_first_pass
password        requisite             
password        required              

the results and assorted output remain the same though.  i did notice these two lines in the sshd debug output:

debug3: mm_auth_password: user authenticated
debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)

what can i do to see more regarding the second message?  it seems like the tree worth barking up.


Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux