From owner-freebsd-questions@FreeBSD.ORG Sun Dec 16 15:05:15 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DF8C16A417 for ; Sun, 16 Dec 2007 15:05:15 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id E420613C4F0 for ; Sun, 16 Dec 2007 15:05:14 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.67) for freebsd-questions@freebsd.org with esmtp (envelope-from ) id <1J3v3K-0002Ki-1r>; Sun, 16 Dec 2007 16:05:14 +0100 Received: from e178031108.adsl.alicedsl.de ([85.178.31.108] helo=thor.walstatt.dyndns.org) by inpost2.zedat.fu-berlin.de (Exim 4.67) for freebsd-questions@freebsd.org with esmtpsa (envelope-from ) id <1J3v3J-0007QV-V5>; Sun, 16 Dec 2007 16:05:14 +0100 Message-ID: <47653EEA.1090700@mail.zedat.fu-berlin.de> Date: Sun, 16 Dec 2007 16:06:18 +0100 From: "O. Hartmann" User-Agent: Thunderbird 2.0.0.9 (X11/20071118) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 85.178.31.108 Subject: PAM and OpenLDAP: Login requires always existence of SSH pubkey, why? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Dec 2007 15:05:15 -0000 Hello. I use FreeBSD 7.0-BETA on servral boxes with different architectures (i386/amd64). Users within our network have to autheticate against an OpenLDAP Server via PAM. I have the annoying problem that every user getting autenticated needs a public key and the passphrase set in the ssh public key is the passphrase that authenticates the user - not the passphrase/password set in the OpenLDAP DIT for that specific user! My sshd_config looks quite common to the default sshd_conf offered with the FreeBSD sources, exept three changes: ============= # Change to yes to enable built-in password authentication. PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication yes #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes ================= Setting PasswordAuthentication no and ChallengeResponseAuthentication no to force PAM doing authetication, accounting and session via LDAP results in the incapability of logging in for any user (error: pubkey/password). In /etc/pam.d/sshd and system I have both in auth and session pam_sshd.so enabled. Without that it doesn't matter what is configured in sshd_conf, users never can login as LDAP would never check passphrase. What is wrong? Why is PAM forcing ssh into doing authentication and accounting and session management by default although I configured PAM to do so? Can anybody help? Thanks in advance, Oliver