OpenLDAP/PAM and SSH: some weirdness with ssh-keys

O. Hartmann ohartman at
Mon Nov 26 09:22:35 PST 2007

sorry for bothering yo, but I'm feeling desperately lost with a problem.

I've got a running OpenLDAP 2.3.39 authetication system on a FreeBSD 7.0 
box, with pam_ldap and nss_ldap (most recent from the ports). My config 
does not look very special, but I think I've messed up something in 
/etc/pam.d or have overseen a small knob in sshd_config (using the plain 
standard sshd_config coming with the OS).

My users can not login without having the very first time typed 
'ssh-keygen' and generated their key with a passphrase! Whenever the key 
(doesn't matter whether rsa or dsa) is not present, no login is 
possible, but if the key is present, login works fine. But the 
passphrase of the key remains the password for login, no chance to 
change with patched passwd.c/passwd() or with tools like LUMA. By the 
way, I have an enabled option 'pam_password crypt' in 
/usr/local/etc/ldap.conf (for both pam_ldap and nss_ldap, linked), but 
this doesn't help much I guess.

Due to the fact ssh login does not work, I will show you my 
/etc/pam.d/sshd file, which looks like this:

# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
# PAM configuration for the "sshd" service

# auth
auth            sufficient             no_warn 
auth            requisite       no_warn allow_local
#auth           sufficient             no_warn 
auth            sufficient      /usr/local/lib/ no_warn 
auth            sufficient              no_warn 
auth            required             no_warn 

# account
account         required
#account        required
account         required
account         sufficient      /usr/local/lib/
account         required

# session
#session        optional
session         required        /usr/local/lib/ mode=750 
session         required

# password
#password       sufficient             no_warn 
#password        sufficient      /usr/local/lib/ use_authtok
password        sufficient      /usr/local/lib/ try_first_pass
password        required             no_warn 

Sorry for the weird wrapping ...

Does anyone see some problems? I also have the in 
/etc/pam.d/passwd (and /etc/pam.d/system looks similar).

I would like to have not the key-passphrase as password for login.

Thanks in advance,

More information about the freebsd-questions mailing list