From owner-freebsd-questions@FreeBSD.ORG Wed Mar 26 15:01:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF9CA106564A for ; Wed, 26 Mar 2008 15:01:58 +0000 (UTC) (envelope-from f.bonnet@esiee.fr) Received: from mail.esiee.fr (mail.esiee.fr [147.215.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4772B8FC13 for ; Wed, 26 Mar 2008 15:01:58 +0000 (UTC) (envelope-from f.bonnet@esiee.fr) Received: from mail.esiee.fr (localhost [127.0.0.1]) by VAMS.dummy (Postfix) with SMTP id 00E2821F9D; Wed, 26 Mar 2008 16:01:57 +0100 (CET) Received: from secure.esiee.fr (secure.esiee.fr [147.215.1.19]) by mail.esiee.fr (Postfix) with ESMTP id E8FE01AD76; Wed, 26 Mar 2008 16:01:56 +0100 (CET) Received: from lisa.esiee.fr (lisa.esiee.fr [147.215.1.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bonnetf) by secure.esiee.fr (Postfix) with ESMTP id 922DFE7D28; Wed, 26 Mar 2008 16:01:56 +0100 (CET) Message-ID: <47EA6563.3030109@esiee.fr> Date: Wed, 26 Mar 2008 16:01:55 +0100 From: Frank Bonnet User-Agent: Thunderbird 2.0.0.9 (X11/20080121) MIME-Version: 1.0 To: bseklecki@collaborativefusion.com References: <47E90D72.3060909@esiee.fr> <1206456103.18298.88.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <47E91ACF.1040804@esiee.fr> <1206459218.18298.100.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> In-Reply-To: <1206459218.18298.100.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 15:01:58 -0000 Hello After having spent several hours on it I can't have a working ssh access that use PAM_LDAP on a freebsd 6/7 machine ! I have no problem on a Linux Debian etch box ... Where are we going if Linux works better than BSD ? :-) Brian A. Seklecki wrote: > On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote: >> Hello Brian >> >> Thanks for the quick answer but I'm still in trouble > > Turn on the debugging flags in the configuration file for pam_ldap > in /usr/local/etc and watch the console on the system. > > ~BAS > > >> we I try to ssh connect to the machine I fall in a loop >> like the following >> >> panzer:~> ssh xxxxxxx@foo >> Password: >> Old Password: >> Password: >> Old Password: >> Password: >> >> I am SURE the password I type works >> >> >> >> >> Brian A. Seklecki wrote: >>> The problem is that the PAM libraries provide a shit-fuck-ass-worthless >>> debug mechanisms. This only eclipsed by the terribly organized >>> information on LDAP+NSS+PAM for FreeBSD on the web. >>> >>> The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. >>> Please put this on the OpenLDAP / PADL Wiki somewhere: >>> >>> seklecki@fucksake:/home/seklecki$ more /etc/pam.d/sshd >>> >>> >>> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ >>> # >>> # PAM configuration for the "sshd" service >>> # >>> >>> # auth >>> #auth required pam_nologin.so no_warn >>> #auth sufficient pam_opie.so no_warn >>> no_fake_prompts >>> #auth requisite pam_opieaccess.so no_warn >>> allow_local >>> #auth sufficient pam_krb5.so no_warn >>> try_first_pass >>> #auth sufficient pam_ssh.so no_warn >>> try_first_pass >>> auth sufficient /usr/local/lib/pam_ldap.so >>> auth required pam_unix.so no_warn >>> try_first_pass >>> >>> # account >>> #account required pam_krb5.so >>> account required pam_login_access.so >>> account required /usr/local/lib/pam_ldap.so >>> ignore_authinfo_unavail ignore_unknown_user >>> account required pam_unix.so >>> >>> # session >>> #session optional pam_ssh.so >>> session required pam_permit.so >>> session sufficient /usr/local/lib/pam_ldap.so no_warn >>> try_first_pass >>> >>> # password >>> #password sufficient pam_krb5.so no_warn >>> try_first_pass >>> password required pam_unix.so no_warn >>> try_first_pass >>> #password required /usr/local/lib/pam_ldap.so no_warn >>> try_first_pass >>> >>> >>> Also try: >>> >>> $ grep -i debug /usr/local/etc/ldap.conf >>> #debug 1 >>> $ grep -i debug /usr/local/etc/nss_ldap.conf >>> #debug 1 >>> >>> >>> Higher levels for fun. >>> >>> ~BAS >>> >>> >>> On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: >>>> Hello >>>> >>>> I can't get a working sshd access using pam_ldap and nss_ldap >>>> >>>> /etc/nsswitch.conf is OK >>>> >>>> but I'm having difficulties to configure pam_ldap for a ssh access >>>> on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure >>>> the /etc/pam.d/sshd file but haven't any success (sigh!) >>>> >>>> Anyone could helps ? >>>> >>>> Thanks a lot ! >>>> >>>> >>>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"