PAM and OpenLDAP: Login requires always existence of SSH pubkey, why?

Michael Smith mksmith at adhost.com
Sun Dec 16 13:30:17 PST 2007 

Hello:

On Dec 16, 2007, at 7:06 AM, O. Hartmann wrote:

> Hello.
>
> I use FreeBSD 7.0-BETA on servral boxes with different architectures  
> (i386/amd64). Users within our network have to autheticate against  
> an OpenLDAP Server via PAM. I have the annoying problem that every  
> user getting autenticated needs a public key and the passphrase set  
> in the ssh public key is the passphrase that authenticates the user  
> - not the passphrase/password set in the OpenLDAP DIT for that  
> specific user! My sshd_config looks quite common to the default  
> sshd_conf offered with the FreeBSD sources, exept three changes:
>
>
> =============
> # Change to yes to enable built-in password authentication.
> PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to no to disable PAM authentication
> ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
>
> # Set this to 'no' to disable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication.  Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> UsePAM yes
>
> =================
>
> Setting
> PasswordAuthentication no
> and
> ChallengeResponseAuthentication no
>
> to force PAM doing authetication, accounting and session via LDAP  
> results in the incapability of logging in for any user (error:  
> pubkey/password).
>
> In /etc/pam.d/sshd and system I have both in auth and session  
> pam_sshd.so enabled. Without that it doesn't matter what is  
> configured in sshd_conf, users never can login as LDAP would never  
> check passphrase.
>
> What is wrong? Why is PAM forcing ssh into doing authentication and  
> accounting and session management by default although I configured  
> PAM to do so?
>
> Can anybody help?

Are you telling SSH to use pam_ldap in the /etc/pam.d/sshd file?  As I  
understand it, you have told ssh to use PAM, which means it will honor  
what is in /etc/pam.d/sshd for its authentication.  If you want ldap,  
you'll need the pam_ldap.so library installed and then reference that  
in the file.  We use RADIUS and SAMBA so ours looks like:

auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_radius.so
auth            sufficient /usr/local/lib/pam_winbind.so try_first_pass
auth            sufficient      pam_opie.so             no_warn  
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn  
allow_local
auth            required        pam_unix.so             no_warn  
try_first_pass

Regards,

Mike

More information about the freebsd-questions mailing list