OpenLDAP/PAM and SSH: some weirdness with ssh-keys

O. Hartmann ohartman at zedat.fu-berlin.de
Mon Nov 26 09:22:35 PST 2007


Hello,
sorry for bothering yo, but I'm feeling desperately lost with a problem.

I've got a running OpenLDAP 2.3.39 authetication system on a FreeBSD 7.0 
box, with pam_ldap and nss_ldap (most recent from the ports). My config 
does not look very special, but I think I've messed up something in 
/etc/pam.d or have overseen a small knob in sshd_config (using the plain 
standard sshd_config coming with the OS).

My users can not login without having the very first time typed 
'ssh-keygen' and generated their key with a passphrase! Whenever the key 
(doesn't matter whether rsa or dsa) is not present, no login is 
possible, but if the key is present, login works fine. But the 
passphrase of the key remains the password for login, no chance to 
change with patched passwd.c/passwd() or with tools like LUMA. By the 
way, I have an enabled option 'pam_password crypt' in 
/usr/local/etc/ldap.conf (for both pam_ldap and nss_ldap, linked), but 
this doesn't help much I guess.

Due to the fact ssh login does not work, I will show you my 
/etc/pam.d/sshd file, which looks like this:

=====
   #
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn 
try_first_pass
auth            sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so mode=750 
skel=/usr/share/skel/
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
#password        sufficient      /usr/local/lib/pam_ldap.so use_authtok
password        sufficient      /usr/local/lib/pam_ldap.so try_first_pass
password        required        pam_unix.so             no_warn 
try_first_pass
========

Sorry for the weird wrapping ...


Does anyone see some problems? I also have the pam_ldap.so-line in 
/etc/pam.d/passwd (and /etc/pam.d/system looks similar).

I would like to have not the key-passphrase as password for login.

Thanks in advance,
Oliver


More information about the freebsd-questions mailing list