Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Brian A. Seklecki
bseklecki at collaborativefusion.com
Tue Mar 25 08:33:39 PDT 2008
On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote:
> Hello Brian
>
> Thanks for the quick answer but I'm still in trouble
Turn on the debugging flags in the configuration file for pam_ldap
in /usr/local/etc and watch the console on the system.
~BAS
> we I try to ssh connect to the machine I fall in a loop
> like the following
>
> panzer:~> ssh xxxxxxx at foo
> Password:
> Old Password:
> Password:
> Old Password:
> Password:
>
> I am SURE the password I type works
>
>
>
>
> Brian A. Seklecki wrote:
> > The problem is that the PAM libraries provide a shit-fuck-ass-worthless
> > debug mechanisms. This only eclipsed by the terribly organized
> > information on LDAP+NSS+PAM for FreeBSD on the web.
> >
> > The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
> > Please put this on the OpenLDAP / PADL Wiki somewhere:
> >
> > seklecki at fucksake:/home/seklecki$ more /etc/pam.d/sshd
> >
> >
> > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> > #
> > # PAM configuration for the "sshd" service
> > #
> >
> > # auth
> > #auth required pam_nologin.so no_warn
> > #auth sufficient pam_opie.so no_warn
> > no_fake_prompts
> > #auth requisite pam_opieaccess.so no_warn
> > allow_local
> > #auth sufficient pam_krb5.so no_warn
> > try_first_pass
> > #auth sufficient pam_ssh.so no_warn
> > try_first_pass
> > auth sufficient /usr/local/lib/pam_ldap.so
> > auth required pam_unix.so no_warn
> > try_first_pass
> >
> > # account
> > #account required pam_krb5.so
> > account required pam_login_access.so
> > account required /usr/local/lib/pam_ldap.so
> > ignore_authinfo_unavail ignore_unknown_user
> > account required pam_unix.so
> >
> > # session
> > #session optional pam_ssh.so
> > session required pam_permit.so
> > session sufficient /usr/local/lib/pam_ldap.so no_warn
> > try_first_pass
> >
> > # password
> > #password sufficient pam_krb5.so no_warn
> > try_first_pass
> > password required pam_unix.so no_warn
> > try_first_pass
> > #password required /usr/local/lib/pam_ldap.so no_warn
> > try_first_pass
> >
> >
> > Also try:
> >
> > $ grep -i debug /usr/local/etc/ldap.conf
> > #debug 1
> > $ grep -i debug /usr/local/etc/nss_ldap.conf
> > #debug 1
> >
> >
> > Higher levels for fun.
> >
> > ~BAS
> >
> >
> > On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:
> >> Hello
> >>
> >> I can't get a working sshd access using pam_ldap and nss_ldap
> >>
> >> /etc/nsswitch.conf is OK
> >>
> >> but I'm having difficulties to configure pam_ldap for a ssh access
> >> on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
> >> the /etc/pam.d/sshd file but haven't any success (sigh!)
> >>
> >> Anyone could helps ?
> >>
> >> Thanks a lot !
> >>
> >>
> >> _______________________________________________
> >> freebsd-questions at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
--
Brian A. Seklecki <bseklecki at collaborativefusion.com>
Collaborative Fusion, Inc.
More information about the freebsd-questions
mailing list