Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

Brian A. Seklecki bseklecki at collaborativefusion.com
Tue Mar 25 08:33:39 PDT 2008 

On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote:
> Hello Brian
> 
> Thanks for the quick answer but I'm still in trouble

Turn on the debugging flags in the configuration file for pam_ldap
in /usr/local/etc and watch the console on the system.

~BAS


> we I try to ssh connect to the machine I fall in a loop
> like the following
> 
> panzer:~> ssh  xxxxxxx at foo
> Password:
> Old Password:
> Password:
> Old Password:
> Password:
> 
> I am SURE the password I type works
> 
> 
> 
> 
> Brian A. Seklecki wrote:
> > The problem is that the PAM libraries provide a shit-fuck-ass-worthless
> > debug mechanisms.  This only eclipsed by the terribly organized
> > information on LDAP+NSS+PAM for FreeBSD on the web.
> > 
> > The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
> > Please put this on the OpenLDAP / PADL Wiki somewhere:
> > 
> > seklecki at fucksake:/home/seklecki$ more /etc/pam.d/sshd 
> > 
> > 
> > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> > #
> > # PAM configuration for the "sshd" service
> > #
> > 
> > # auth
> > #auth           required        pam_nologin.so          no_warn
> > #auth           sufficient      pam_opie.so             no_warn
> > no_fake_prompts
> > #auth           requisite       pam_opieaccess.so       no_warn
> > allow_local
> > #auth           sufficient      pam_krb5.so             no_warn
> > try_first_pass
> > #auth           sufficient      pam_ssh.so              no_warn
> > try_first_pass
> > auth            sufficient      /usr/local/lib/pam_ldap.so 
> > auth            required        pam_unix.so             no_warn
> > try_first_pass
> > 
> > # account
> > #account        required        pam_krb5.so
> > account         required        pam_login_access.so
> > account         required       /usr/local/lib/pam_ldap.so
> > ignore_authinfo_unavail ignore_unknown_user
> > account         required        pam_unix.so
> > 
> > # session
> > #session        optional        pam_ssh.so
> > session         required        pam_permit.so
> > session         sufficient      /usr/local/lib/pam_ldap.so no_warn
> > try_first_pass
> > 
> > # password
> > #password       sufficient      pam_krb5.so             no_warn
> > try_first_pass
> > password        required        pam_unix.so             no_warn
> > try_first_pass
> > #password         required      /usr/local/lib/pam_ldap.so no_warn
> > try_first_pass
> > 
> > 
> > Also try:
> > 
> > $ grep -i debug /usr/local/etc/ldap.conf
> > #debug 1
> > $ grep -i debug /usr/local/etc/nss_ldap.conf
> > #debug 1
> > 
> > 
> > Higher levels for fun.
> > 
> > ~BAS
> > 
> > 
> > On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:
> >> Hello
> >>
> >> I can't get a working sshd access using pam_ldap and nss_ldap
> >>
> >> /etc/nsswitch.conf is OK
> >>
> >> but I'm having difficulties to configure pam_ldap for a ssh access
> >> on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
> >> the /etc/pam.d/sshd file but haven't any success (sigh!)
> >>
> >> Anyone could helps ?
> >>
> >> Thanks a lot !
> >>
> >>
> >> _______________________________________________
> >> freebsd-questions at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> 
-- 
Brian A. Seklecki <bseklecki at collaborativefusion.com>
Collaborative Fusion, Inc.

More information about the freebsd-questions mailing list