Date: Wed, 26 Mar 2008 16:01:55 +0100 From: Frank Bonnet <f.bonnet@esiee.fr> To: bseklecki@collaborativefusion.com Cc: freebsd-questions@freebsd.org Subject: Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ? Message-ID: <47EA6563.3030109@esiee.fr> In-Reply-To: <1206459218.18298.100.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> References: <47E90D72.3060909@esiee.fr> <1206456103.18298.88.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <47E91ACF.1040804@esiee.fr> <1206459218.18298.100.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello After having spent several hours on it I can't have a working ssh access that use PAM_LDAP on a freebsd 6/7 machine ! I have no problem on a Linux Debian etch box ... Where are we going if Linux works better than BSD ? :-) Brian A. Seklecki wrote: > On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote: >> Hello Brian >> >> Thanks for the quick answer but I'm still in trouble > > Turn on the debugging flags in the configuration file for pam_ldap > in /usr/local/etc and watch the console on the system. > > ~BAS > > >> we I try to ssh connect to the machine I fall in a loop >> like the following >> >> panzer:~> ssh xxxxxxx@foo >> Password: >> Old Password: >> Password: >> Old Password: >> Password: >> >> I am SURE the password I type works >> >> >> >> >> Brian A. Seklecki wrote: >>> The problem is that the PAM libraries provide a shit-fuck-ass-worthless >>> debug mechanisms. This only eclipsed by the terribly organized >>> information on LDAP+NSS+PAM for FreeBSD on the web. >>> >>> The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. >>> Please put this on the OpenLDAP / PADL Wiki somewhere: >>> >>> seklecki@fucksake:/home/seklecki$ more /etc/pam.d/sshd >>> >>> >>> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ >>> # >>> # PAM configuration for the "sshd" service >>> # >>> >>> # auth >>> #auth required pam_nologin.so no_warn >>> #auth sufficient pam_opie.so no_warn >>> no_fake_prompts >>> #auth requisite pam_opieaccess.so no_warn >>> allow_local >>> #auth sufficient pam_krb5.so no_warn >>> try_first_pass >>> #auth sufficient pam_ssh.so no_warn >>> try_first_pass >>> auth sufficient /usr/local/lib/pam_ldap.so >>> auth required pam_unix.so no_warn >>> try_first_pass >>> >>> # account >>> #account required pam_krb5.so >>> account required pam_login_access.so >>> account required /usr/local/lib/pam_ldap.so >>> ignore_authinfo_unavail ignore_unknown_user >>> account required pam_unix.so >>> >>> # session >>> #session optional pam_ssh.so >>> session required pam_permit.so >>> session sufficient /usr/local/lib/pam_ldap.so no_warn >>> try_first_pass >>> >>> # password >>> #password sufficient pam_krb5.so no_warn >>> try_first_pass >>> password required pam_unix.so no_warn >>> try_first_pass >>> #password required /usr/local/lib/pam_ldap.so no_warn >>> try_first_pass >>> >>> >>> Also try: >>> >>> $ grep -i debug /usr/local/etc/ldap.conf >>> #debug 1 >>> $ grep -i debug /usr/local/etc/nss_ldap.conf >>> #debug 1 >>> >>> >>> Higher levels for fun. >>> >>> ~BAS >>> >>> >>> On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: >>>> Hello >>>> >>>> I can't get a working sshd access using pam_ldap and nss_ldap >>>> >>>> /etc/nsswitch.conf is OK >>>> >>>> but I'm having difficulties to configure pam_ldap for a ssh access >>>> on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure >>>> the /etc/pam.d/sshd file but haven't any success (sigh!) >>>> >>>> Anyone could helps ? >>>> >>>> Thanks a lot ! >>>> >>>> >>>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47EA6563.3030109>