From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 4 04:42:07 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09C1C16A4CE for ; Thu, 4 Mar 2004 04:42:07 -0800 (PST) Received: from arbornet.org (m-net.arbornet.org [209.142.209.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id B232C43D48 for ; Thu, 4 Mar 2004 04:42:06 -0800 (PST) (envelope-from sybexmy@m-net.arbornet.org) Received: from m-net.arbornet.org (localhost [127.0.0.1]) by arbornet.org (8.12.3p2/8.11.2) with ESMTP id i24CkBX2025793 for ; Thu, 4 Mar 2004 07:46:11 -0500 (EST) (envelope-from sybexmy@m-net.arbornet.org) Received: (from sybexmy@localhost) by m-net.arbornet.org (8.12.3p2/8.12.3/Submit) id i24CkBEV025792 for freebsd-hackers@freebsd.org; Thu, 4 Mar 2004 07:46:11 -0500 (EST) From: sybexmy alias Message-Id: <200403041246.i24CkBEV025792@m-net.arbornet.org> To: freebsd-hackers@freebsd.org Date: Thu, 4 Mar 2004 07:46:11 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL98b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Subject: Issues with SSH+LDAP on FreeBSD 5.2 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Mar 2004 12:42:07 -0000 Hi All, I'm attempting to integrate SSH with LDAP and PAM on a FREEBSD 5.2 host. However I'm having "access denied" error message when I try to ssh to my ldap server using PUTTY Release 0.53b. I have google around and found several document like "http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html". This documentation also does not work. I really hope that some body can guide me and give some comment what I have done wrong in my configuration files. Thank you in advance.. Sybexmy FreeBSD 5.2 RELEASE | +-openldap-server-2.1.26_1 +-pam_ldap-1.6.7_1 +-nss_ldap-1.204_5 +-OpenSSH_3.6.1p1 Client(PUTTY Release 0.53b) ------------------------ login as: testuser1 Sent username "testuser1" testuser1@10.1.7.107's password: Access denied testuser1@10.1.7.107's password: Server: LDAP DEBUGING LEVEL 4: ---------------------- sybexmy-file-svr# ./debug_slapd.sh daemon_init: ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002) bdb_db_init: Initializing BDB database bdb_db_open: dc=sybexmy,dc=com slapd starting connection_get(13) ==> bdb_bind: dn: cn=proxyuser,dc=sybexmy,dc=com send_ldap_result: err=0 matched="" text="" connection_get(13) SRCH "ou=People,dc=sybexmy,dc=com" 1 0 1 0 0 filter: (&(objectClass=posixAccount)(uid=testuser1)) attrs: uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass bdb_idl_fetch_key: %ou=people,dc=sybexmy,dc=com bdb_idl_fetch_key: [b49d1940] bdb_idl_fetch_key: [5941c014] bdb_idl_fetch_key: [7f114c03] SSH DEBUGING (sshd port: 1234): ---------------------------------------------- sybexmy-file-svr# ./debug_sshd.sh debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.6.1p1 FreeBSD-20030924 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 1234 on ::. Server listening on :: port 1234. debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. debug1: res_init() Connection from 10.1.7.100 port 1269 debug1: Client protocol version 1.5; client software version PuTTY-Release-0.53b debug1: no match: PuTTY-Release-0.53b debug1: Local version string SSH-1.99-OpenSSH_3.6.1p1 FreeBSD-20030924 debug2: Network child is on pid 960 debug3: privsep user:group 22:22 debug3: preauth child monitor started debug1: permanently_set_uid: 22/22 debug1: Sent 768 bit server key and 1024 bit host key. debug3: mm_request_receive entering debug1: Encryption type: blowfish debug3: mm_request_send entering: type 28 debug3: monitor_read: checking request 28 debug3: mm_request_receive_expect entering: type 29 debug3: mm_request_receive entering debug3: mm_request_send entering: type 29 debug3: mm_ssh1_session_id entering debug2: monitor_read: 28 used once, disabling now debug3: mm_request_send entering: type 30 debug3: mm_request_receive entering debug1: Received session key; encryption turned on. debug3: monitor_read: checking request 30 debug3: mm_answer_sessid entering debug2: monitor_read: 30 used once, disabling now debug3: mm_request_receive entering debug1: Installing crc compensation attack detector. debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_answer_pwnamallow debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug3: mm_start_pam entering debug2: monitor_read: 6 used once, disabling now debug3: mm_request_send entering: type 41 debug3: mm_request_receive entering debug1: Attempting authentication for testuser1. debug3: monitor_read: checking request 41 debug3: mm_auth_password entering debug1: PAM: initializing for "testuser1" debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: Trying to reverse map address 10.1.7.100. debug1: PAM: setting PAM_RHOST to "machine185.nat.sybexmy.com" debug2: monitor_read: 41 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed none for testuser1 from 10.1.7.100 port 1269 debug3: mm_request_receive entering debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_send entering: type 11 debug3: mm_request_receive entering Failed password for testuser1 from 10.1.7.100 port 1269 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed password for testuser1 from 10.1.7.100 port 1269 sybexmy-file-svr# more /etc/ssh/sshd_config PasswordAuthentication yes ChallengeResponseAuthentication yes PermitRootLogin yes PrintLastLog yes sybexmy-file-svr# more/etc/pam.d/sshd auth sufficient /usr/local/lib/pam_ldap.so account sufficient /usr/local/lib/pam_ldap.so session sufficient /usr/local/lib/pam_ldap.so password required pam_unix.so no_warn try_first_pass LDAP SEARCH: ------------ # testuser1, People, sybexmy.com dn: uid=testuser1,ou=People,dc=sybexmy,dc=com cn: testuser1 Account sn: testuser1 uid: testuser1 uidNumber: 1001 gidNumber: 513 loginShell: /bin/csh gecos: testuser1 Account description: testuser1 Account sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1077709156 displayName: testuser1 Account sambaSID: S-1-5-21-541008154-732489941-378898453-3002 sambaPrimaryGroupSID: S-1-5-21-541008154-732489941-378898453-513 sambaHomeDrive: H: sambaHomePath: \\SERVER\home sambaProfilePath: \\SERVER\profiles\testuser1 sambaPwdMustChange: 2147483647 sambaLMPassword: 419A6932ED4147C2AAD3B435B51404EE sambaPwdLastSet: 1077709156 sambaAcctFlags: [U] sambaNTPassword: 58A54CB6584BEDE940DFD029FD76E2D2 sambaLogonScript: startup.cmd objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount userPassword:: e1NTSEF9R2RITzhDbmhtV3IyVjBkWFFlbTVwYnlPT0hqc0pOSEU= homeDirectory: /home/testuser1