Sun-sshd+ldap with solaris 10 native client library?
in [Solaris]
|
Prev: Solaris 10 as openldap client
Next: automounter
From: Artabros on 24 May 2005 08:01 I'm trying to configure Sun-SSH server included in solaris 10 with pam_ldap. I intend to use SUN Solaris Native LDAP Client Library and system is already configured like ldap client ("id ldapuser" works), using the steps of the document from the Gary Tay's site (http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenSSH%20with%20pam_ldap%20for%20Solaris9.htm) I need that pam_ldap authentication works only with ssh and for these reason i append the following lines to /etc/pam.conf sshd auth requisite pam_authtok_get.so.1 sshd auth required pam_dhkeys.so.1 sshd auth required pam_dial_auth.so.1 sshd auth binding pam_unix_auth.so.1 server_policy sshd auth required pam_ldap.so.1 , but don't works localhost$ ssh -l ldapuser 192.168.1.9 Password: Password: Password: Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). Anybody have an idea to solve my problem?? Thanks in advance!!
From: Triss on 24 May 2005 12:58 Two things to start with: First, you'll almost undoubtedly want to append try_first_pass to the pam_ldap.so.1 line, so it'll grab the password from when it tried unix_auth. Second, we need more data in order to help you. Are any error messages showing for SSH or pam in syslog? If not, please add 'debug' to the pam_ldap line, and make sure you're logging daemon.debug. Check for anything interesting there. Please post details when you've got them.
From: Gary Tay Teng Teck on 24 May 2005 13:24 Artabros wrote: > I'm trying to configure Sun-SSH server included in solaris 10 with > pam_ldap. I intend to use SUN Solaris Native LDAP Client Library and > system is already configured like ldap client ("id ldapuser" works), > using the steps of the document from the Gary Tay's site > (http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenSSH%20with%20pam_ldap%20for%20Solaris9.htm) > > > I need that pam_ldap authentication works only with ssh and for these > reason i append the following lines to /etc/pam.conf > > sshd auth requisite pam_authtok_get.so.1 > sshd auth required pam_dhkeys.so.1 > sshd auth required pam_dial_auth.so.1 > sshd auth binding pam_unix_auth.so.1 server_policy > sshd auth required pam_ldap.so.1 > > , but don't works > > localhost$ ssh -l ldapuser 192.168.1.9 > Password: > Password: > Password: > Permission denied > (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). > > Anybody have an idea to solve my problem?? Thanks in advance!! Pls use the sample pam.conf for pam_ldap provided by Solaris10 system admin guide, you need not add "sshd" lines as it will follow "other". http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view You may turn off Kerberos and GSSAPI support in sshd_config as we don't need it. You should set "UsePAM yes" in sshd_config, and restart sshd. PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes Having said all the above, I have not used any Solaris10 box yet. Gary
From: Artabros on 24 May 2005 17:47 Can't find the way make pam works correctly with Idap. There's no way to make the authentication works with Idap (nor in system console neither in ssh). I've used ldapclient command to generate /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred files and "gettent passwd" shows me ldap'users. I'm trying to prove with two pam.comf: one with sun's documents, and the other one with that which use howto. In the sshd_conf there was not "UsePAM = yes" because Sun-SHH don't support it and failed to start. So I've downloaded OpenSSH from www.sunfreeware.com and I've installed it with the this sshd_conf: --- Begin of sshd_conf ---- Port 22 Protocol 2 PermitRootLogin yes PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes Subsystem sftp /usr/local/libexec/sftp-server --- End of sshd_conf ---- I'm new in solaris and i don't know how to configure syslog to see pam/ssh errors :( However i can see the following in /var/log/syslog: pam_ldap: no legal authentication method configured Have you got an idea to make it work? Thanks in advance
From: Gary Tay Teng Teck on 25 May 2005 08:34
Artabros wrote: > Can't find the way make pam works correctly with Idap. There's no way to > make the authentication works with Idap (nor in system console neither in > ssh). I've used ldapclient command to generate /var/ldap/ldap_client_file > and /var/ldap/ldap_client_cred files and "gettent passwd" shows me > ldap'users. > > I'm trying to prove with two pam.comf: one with sun's documents, and the > other one with that which use howto. In the sshd_conf there was not "UsePAM > = yes" because Sun-SHH don't support it and failed to start. So I've > downloaded OpenSSH from www.sunfreeware.com and I've installed it with the > this sshd_conf: > > --- Begin of sshd_conf ---- > Port 22 > Protocol 2 > PermitRootLogin yes > PasswordAuthentication yes > ChallengeResponseAuthentication yes > UsePAM yes > Subsystem sftp /usr/local/libexec/sftp-server > --- End of sshd_conf ---- > > I'm new in solaris and i don't know how to configure syslog to see > pam/ssh errors :( However i can see the following in /var/log/syslog: > > pam_ldap: no legal authentication method configured > > Have you got an idea to make it work? Thanks in advance > > SUN-SSH uses an older version of OpenSSH, IIRC the equivalent directive of "UsePAM yes" in its sshd_config is: PAMAuthenticationViaKBDInt yes I have taken for granted that everyone will replace SUN-SSH with OpenSSH at least as a response to OpenSSH vulnerability report. It is better to compile from OpenSSH source, use the following options so that you could reuse SUN-SSH original protocol 2 host keys in /etc/ssh: env MAKE=/usr/ccs/bin/make LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib ./configure --with-pam --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl To debug SUN-SSH or OpenSSH, start "sshd" with the debug option, I think it is "-d" OR Change this line in sshd_config and restart sshd #LogLevel info LogLevel debug (or LogLevel DEBUG) Then add a "auth.debug /var/log/auth.log" line in /etc/syslog.conf and restart syslogd (/etc/init.d/syslog). Use "ssh -v userid(a)localhost" to see the communication flow. You may to take a look at the checklists I listed at: http://swforum.sun.com/jive/thread.jspa?threadID=47882&tstart=0 To debug PAM, add "debug" keyword to /etc/pam.conf at the end of the line, I think. Gary |