On Mar 07, 2010, at 17.08, Steve Langasek wrote: > > This implies that you've manually copied the contents of /etc/pam.d/common-* > into /etc/pam.d/sshd, instead of using the includes as-is. Is there a > reason for this? yes - i've got a learning curve ahead of me and intended to use sshd to do my experimenting. i didn't want to muck around in the includes since it would affect more than just ssh, but wanted to retain the structure/style being used while i'm learning. once i've become a bit more comfortable with pam and have established a working config that i understand, i'll revert back to using the includes. > Note that by omitting pam_unix here, sshd won't honor password expiry set > for any local accounts. no, i wasn't aware of that - thank you. i don't necessarily intend to permanently use pam_localuser here instead of pam_unix, but had substituted it as an experiment. > Have you tried adding 'debug' to the pam_ldap line here? Was there any more > log output when the 'debug' option was passed to pam_localuser (which you > seem to have added, then commented out)? unfortunately, it appears that the pam_ldap module doesn't support a debug option. the man page says that it is ignored, but i tried it anyway (which confirmed this). when using debug with pam_localuser, i do see additional output - it appears to iterate through each entry in /etc/passwd, looking for a match: <snip> Mar 7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "nslcd:x:117:127:nss-ldapd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false#012" Mar 7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "backuppc:x:119:129:BackupPC,,,:/var/lib/backuppc:/bin/sh#012" Mar 7 21:45:34 under sshd[20033]: pam_localuser(sshd:account): checking "haldaemon:x:120:130:Hardware abstraction layer,,,:/var/run/hald:/bin/false#012" Mar 7 21:45:34 under sshd[20033]: Failed password for flash from 192.168.1.123 port 56360 ssh2 > The output and PAM config suggest the problem is most likely with the > pam_ldap module, but so far there's insufficient information to say what the > problem is. after doing a bit more experimenting, i've found that if i use both pam_unix and pam_ldap: account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so i'm able to log in, but with a caveat - it seems to ignore my ldap config and allows access regardless of ldap group membership. additionally, if i use only pam_ldap, i'm not able to log in and am given the same "Access denied for this service" message. giving this a bit more consideration, it seemed it might make sense to just focus on getting ldap working all by itself and excluding the traditional unix components for the time being, to help isolate the pieces involved. to that end, i've tried using only pam_ldap for auth and account: >egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' sshd auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale auth [success=1 default=ignore] pam_ldap.so #use_first_pass auth requisite pam_deny.so auth required pam_permit.so account required pam_nologin.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_ldap.so no_warn session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so password required pam_passwdqc.so min=disabled,16,12,7,6 max=256 password [success=2 default=ignore] pam_unix.so obscure md5 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so the results and assorted output remain the same though. i did notice these two lines in the sshd debug output: debug3: mm_auth_password: user authenticated ... debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure) what can i do to see more regarding the second message? it seems like the tree worth barking up. thanks -ben _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
