From owner-freebsd-questions@FreeBSD.ORG Mon Nov 26 17:22:35 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E1B516A418 for ; Mon, 26 Nov 2007 17:22:35 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id A9F2B13C4DD for ; Mon, 26 Nov 2007 17:22:34 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.67) for freebsd-questions@freebsd.org with esmtp (envelope-from ) id <1IwhfF-0007Ib-5t>; Mon, 26 Nov 2007 18:22:33 +0100 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.67) for freebsd-questions@freebsd.org with esmtpsa (envelope-from ) id <1IwhfF-000155-4y>; Mon, 26 Nov 2007 18:22:33 +0100 Message-ID: <474B00F8.6030308@zedat.fu-berlin.de> Date: Mon, 26 Nov 2007 17:23:04 +0000 From: "O. Hartmann" Organization: Freie =?ISO-8859-15?Q?Universit=E4t_Berlin?= User-Agent: Thunderbird 2.0.0.9 (X11/20071121) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 130.133.86.198 Subject: OpenLDAP/PAM and SSH: some weirdness with ssh-keys X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2007 17:22:35 -0000 Hello, sorry for bothering yo, but I'm feeling desperately lost with a problem. I've got a running OpenLDAP 2.3.39 authetication system on a FreeBSD 7.0 box, with pam_ldap and nss_ldap (most recent from the ports). My config does not look very special, but I think I've messed up something in /etc/pam.d or have overseen a small knob in sshd_config (using the plain standard sshd_config coming with the OS). My users can not login without having the very first time typed 'ssh-keygen' and generated their key with a passphrase! Whenever the key (doesn't matter whether rsa or dsa) is not present, no login is possible, but if the key is present, login works fine. But the passphrase of the key remains the password for login, no chance to change with patched passwd.c/passwd() or with tools like LUMA. By the way, I have an enabled option 'pam_password crypt' in /usr/local/etc/ldap.conf (for both pam_ldap and nss_ldap, linked), but this doesn't help much I guess. Due to the fact ssh login does not work, I will show you my /etc/pam.d/sshd file, which looks like this: ===== # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required /usr/local/lib/pam_mkhomedir.so mode=750 skel=/usr/share/skel/ session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass #password sufficient /usr/local/lib/pam_ldap.so use_authtok password sufficient /usr/local/lib/pam_ldap.so try_first_pass password required pam_unix.so no_warn try_first_pass ======== Sorry for the weird wrapping ... Does anyone see some problems? I also have the pam_ldap.so-line in /etc/pam.d/passwd (and /etc/pam.d/system looks similar). I would like to have not the key-passphrase as password for login. Thanks in advance, Oliver