Date: Tue, 25 Mar 2008 11:33:38 -0400 From: "Brian A. Seklecki" <bseklecki@collaborativefusion.com> To: Frank Bonnet <f.bonnet@esiee.fr> Cc: freebsd-questions@freebsd.org Subject: Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ? Message-ID: <1206459218.18298.100.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> In-Reply-To: <47E91ACF.1040804@esiee.fr> References: <47E90D72.3060909@esiee.fr> <1206456103.18298.88.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <47E91ACF.1040804@esiee.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote: > Hello Brian > > Thanks for the quick answer but I'm still in trouble Turn on the debugging flags in the configuration file for pam_ldap in /usr/local/etc and watch the console on the system. ~BAS > we I try to ssh connect to the machine I fall in a loop > like the following > > panzer:~> ssh xxxxxxx@foo > Password: > Old Password: > Password: > Old Password: > Password: > > I am SURE the password I type works > > > > > Brian A. Seklecki wrote: > > The problem is that the PAM libraries provide a shit-fuck-ass-worthless > > debug mechanisms. This only eclipsed by the terribly organized > > information on LDAP+NSS+PAM for FreeBSD on the web. > > > > The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. > > Please put this on the OpenLDAP / PADL Wiki somewhere: > > > > seklecki@fucksake:/home/seklecki$ more /etc/pam.d/sshd > > > > > > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ > > # > > # PAM configuration for the "sshd" service > > # > > > > # auth > > #auth required pam_nologin.so no_warn > > #auth sufficient pam_opie.so no_warn > > no_fake_prompts > > #auth requisite pam_opieaccess.so no_warn > > allow_local > > #auth sufficient pam_krb5.so no_warn > > try_first_pass > > #auth sufficient pam_ssh.so no_warn > > try_first_pass > > auth sufficient /usr/local/lib/pam_ldap.so > > auth required pam_unix.so no_warn > > try_first_pass > > > > # account > > #account required pam_krb5.so > > account required pam_login_access.so > > account required /usr/local/lib/pam_ldap.so > > ignore_authinfo_unavail ignore_unknown_user > > account required pam_unix.so > > > > # session > > #session optional pam_ssh.so > > session required pam_permit.so > > session sufficient /usr/local/lib/pam_ldap.so no_warn > > try_first_pass > > > > # password > > #password sufficient pam_krb5.so no_warn > > try_first_pass > > password required pam_unix.so no_warn > > try_first_pass > > #password required /usr/local/lib/pam_ldap.so no_warn > > try_first_pass > > > > > > Also try: > > > > $ grep -i debug /usr/local/etc/ldap.conf > > #debug 1 > > $ grep -i debug /usr/local/etc/nss_ldap.conf > > #debug 1 > > > > > > Higher levels for fun. > > > > ~BAS > > > > > > On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: > >> Hello > >> > >> I can't get a working sshd access using pam_ldap and nss_ldap > >> > >> /etc/nsswitch.conf is OK > >> > >> but I'm having difficulties to configure pam_ldap for a ssh access > >> on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure > >> the /etc/pam.d/sshd file but haven't any success (sigh!) > >> > >> Anyone could helps ? > >> > >> Thanks a lot ! > >> > >> > >> _______________________________________________ > >> freebsd-questions@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- Brian A. Seklecki <bseklecki@collaborativefusion.com> Collaborative Fusion, Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1206459218.18298.100.camel>