PAM and OpenLDAP: Login requires always existence of SSH pubkey,
why?
O. Hartmann
ohartman at mail.zedat.fu-berlin.de
Sun Dec 16 07:05:15 PST 2007
Hello.
I use FreeBSD 7.0-BETA on servral boxes with different architectures
(i386/amd64). Users within our network have to autheticate against an
OpenLDAP Server via PAM. I have the annoying problem that every user
getting autenticated needs a public key and the passphrase set in the
ssh public key is the passphrase that authenticates the user - not the
passphrase/password set in the OpenLDAP DIT for that specific user! My
sshd_config looks quite common to the default sshd_conf offered with the
FreeBSD sources, exept three changes:
=============
# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
=================
Setting
PasswordAuthentication no
and
ChallengeResponseAuthentication no
to force PAM doing authetication, accounting and session via LDAP
results in the incapability of logging in for any user (error:
pubkey/password).
In /etc/pam.d/sshd and system I have both in auth and session
pam_sshd.so enabled. Without that it doesn't matter what is configured
in sshd_conf, users never can login as LDAP would never check passphrase.
What is wrong? Why is PAM forcing ssh into doing authentication and
accounting and session management by default although I configured PAM
to do so?
Can anybody help?
Thanks in advance,
Oliver
More information about the freebsd-questions
mailing list