Date: Sun, 16 Dec 2007 13:30:16 -0800 From: Michael Smith <mksmith@adhost.com> To: O. Hartmann <ohartman@mail.zedat.fu-berlin.de> Cc: freebsd-questions@freebsd.org Subject: Re: PAM and OpenLDAP: Login requires always existence of SSH pubkey, why? Message-ID: <443CBFCB-ABA6-49B1-A9C7-5E3367611823@adhost.com> In-Reply-To: <47653EEA.1090700@mail.zedat.fu-berlin.de> References: <47653EEA.1090700@mail.zedat.fu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello: On Dec 16, 2007, at 7:06 AM, O. Hartmann wrote: > Hello. > > I use FreeBSD 7.0-BETA on servral boxes with different architectures > (i386/amd64). Users within our network have to autheticate against > an OpenLDAP Server via PAM. I have the annoying problem that every > user getting autenticated needs a public key and the passphrase set > in the ssh public key is the passphrase that authenticates the user > - not the passphrase/password set in the OpenLDAP DIT for that > specific user! My sshd_config looks quite common to the default > sshd_conf offered with the FreeBSD sources, exept three changes: > > > ============= > # Change to yes to enable built-in password authentication. > PasswordAuthentication yes > #PermitEmptyPasswords no > > # Change to no to disable PAM authentication > ChallengeResponseAuthentication yes > > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > > # GSSAPI options > #GSSAPIAuthentication yes > #GSSAPICleanupCredentials yes > > # Set this to 'no' to disable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication and > # PasswordAuthentication. Depending on your PAM configuration, > # PAM authentication via ChallengeResponseAuthentication may bypass > # the setting of "PermitRootLogin without-password". > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and ChallengeResponseAuthentication to 'no'. > UsePAM yes > > ================= > > Setting > PasswordAuthentication no > and > ChallengeResponseAuthentication no > > to force PAM doing authetication, accounting and session via LDAP > results in the incapability of logging in for any user (error: > pubkey/password). > > In /etc/pam.d/sshd and system I have both in auth and session > pam_sshd.so enabled. Without that it doesn't matter what is > configured in sshd_conf, users never can login as LDAP would never > check passphrase. > > What is wrong? Why is PAM forcing ssh into doing authentication and > accounting and session management by default although I configured > PAM to do so? > > Can anybody help? Are you telling SSH to use pam_ldap in the /etc/pam.d/sshd file? As I understand it, you have told ssh to use PAM, which means it will honor what is in /etc/pam.d/sshd for its authentication. If you want ldap, you'll need the pam_ldap.so library installed and then reference that in the file. We use RADIUS and SAMBA so ours looks like: auth required pam_nologin.so no_warn auth sufficient pam_radius.so auth sufficient /usr/local/lib/pam_winbind.so try_first_pass auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass Regards, Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443CBFCB-ABA6-49B1-A9C7-5E3367611823>