From owner-freebsd-questions@FreeBSD.ORG Thu Sep 4 09:18:17 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E426A1065679 for ; Thu, 4 Sep 2008 09:18:17 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 57D2C8FC2B for ; Thu, 4 Sep 2008 09:18:17 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) for freebsd-questions@freebsd.org with esmtp (envelope-from ) id <1KbAym-00070N-Du>; Thu, 04 Sep 2008 11:18:16 +0200 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.69) for freebsd-questions@freebsd.org with esmtpsa (envelope-from ) id <1KbAym-0001Ov-CU>; Thu, 04 Sep 2008 11:18:16 +0200 Message-ID: <48BFA752.7040807@zedat.fu-berlin.de> Date: Thu, 04 Sep 2008 09:16:02 +0000 From: "O. Hartmann" Organization: Freie =?ISO-8859-15?Q?Universit=E4t_Berlin?= User-Agent: Thunderbird 2.0.0.16 (X11/20080903) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: multipart/mixed; boundary="------------060906040204030607080106" X-Originating-IP: 130.133.86.198 Subject: LDAP and ssh not working anymore since upgrade to FreeBSD 7.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2008 09:18:18 -0000 This is a multi-part message in MIME format. --------------060906040204030607080106 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit I recently updated several boxes up to FreeBSD 7.1-PRE having had a working OpenLDAP binding. After this update, I can't log in on those boxes connected to an LDAP server via ssh! The boxes also run lighttpd as a webserver with remote LDAP authentication for several user spaces and this still works as expected. I can log in locally on the boxes in question, even with LDAP backed users, so login works fine, also doeing a 'su - USER' as root works fine, but no sshd connects. Only local users (stored in /etc/passwd) can login in via ssh. The error message on console is like this: sshd[16434]: fatal: login_get_lastlog: Cannot find account for uid 2001 It's funny, seems that sshd never made it to LDAP although I see traffic on the LDAP server's log. I append, for completeness, /etc/pam.d/sshd, /etc/ssh/sshd_conf # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session optional /usr/local/lib/pam_mkhomedir.so skel=/usr/share/skel mode=0750 session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so no_warn use_authtok password required pam_unix.so no_warn try_first_pass --------------060906040204030607080106 Content-Type: text/plain; name="sshd_config" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="sshd_config" # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.47.2.1 2008/09/01 20:03:13 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. VersionAddendum FreeBSD-20080901 Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 1h ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable PAM authentication # ChallengeResponseAuthentication yes ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd yes PrintLastLog yes TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server --------------060906040204030607080106--