PAM and OpenLDAP: Login requires always existence of SSH pubkey, why?

O. Hartmann ohartman at
Sun Dec 16 07:05:15 PST 2007


I use FreeBSD 7.0-BETA on servral boxes with different architectures 
(i386/amd64). Users within our network have to autheticate against an 
OpenLDAP Server via PAM. I have the annoying problem that every user 
getting autenticated needs a public key and the passphrase set in the 
ssh public key is the passphrase that authenticates the user - not the 
passphrase/password set in the OpenLDAP DIT for that specific user! My 
sshd_config looks quite common to the default sshd_conf offered with the 
FreeBSD sources, exept three changes:

# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


PasswordAuthentication no
ChallengeResponseAuthentication no

to force PAM doing authetication, accounting and session via LDAP 
results in the incapability of logging in for any user (error: 

In /etc/pam.d/sshd and system I have both in auth and session enabled. Without that it doesn't matter what is configured 
in sshd_conf, users never can login as LDAP would never check passphrase.

What is wrong? Why is PAM forcing ssh into doing authentication and 
accounting and session management by default although I configured PAM 
to do so?

Can anybody help?

Thanks in advance,

More information about the freebsd-questions mailing list