Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

Frank Bonnet f.bonnet at esiee.fr
Wed Mar 26 08:01:58 PDT 2008 

Hello

After having spent several hours on it I can't have a working
ssh access that use PAM_LDAP on a freebsd 6/7 machine !

I have no problem on a Linux Debian etch box ...

Where are we going if Linux works better than BSD ? :-)


Brian A. Seklecki wrote:
> On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote:
>> Hello Brian
>>
>> Thanks for the quick answer but I'm still in trouble
> 
> Turn on the debugging flags in the configuration file for pam_ldap
> in /usr/local/etc and watch the console on the system.
> 
> ~BAS
> 
> 
>> we I try to ssh connect to the machine I fall in a loop
>> like the following
>>
>> panzer:~> ssh  xxxxxxx at foo
>> Password:
>> Old Password:
>> Password:
>> Old Password:
>> Password:
>>
>> I am SURE the password I type works
>>
>>
>>
>>
>> Brian A. Seklecki wrote:
>>> The problem is that the PAM libraries provide a shit-fuck-ass-worthless
>>> debug mechanisms.  This only eclipsed by the terribly organized
>>> information on LDAP+NSS+PAM for FreeBSD on the web.
>>>
>>> The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
>>> Please put this on the OpenLDAP / PADL Wiki somewhere:
>>>
>>> seklecki at fucksake:/home/seklecki$ more /etc/pam.d/sshd 
>>>
>>>
>>> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
>>> #
>>> # PAM configuration for the "sshd" service
>>> #
>>>
>>> # auth
>>> #auth           required        pam_nologin.so          no_warn
>>> #auth           sufficient      pam_opie.so             no_warn
>>> no_fake_prompts
>>> #auth           requisite       pam_opieaccess.so       no_warn
>>> allow_local
>>> #auth           sufficient      pam_krb5.so             no_warn
>>> try_first_pass
>>> #auth           sufficient      pam_ssh.so              no_warn
>>> try_first_pass
>>> auth            sufficient      /usr/local/lib/pam_ldap.so 
>>> auth            required        pam_unix.so             no_warn
>>> try_first_pass
>>>
>>> # account
>>> #account        required        pam_krb5.so
>>> account         required        pam_login_access.so
>>> account         required       /usr/local/lib/pam_ldap.so
>>> ignore_authinfo_unavail ignore_unknown_user
>>> account         required        pam_unix.so
>>>
>>> # session
>>> #session        optional        pam_ssh.so
>>> session         required        pam_permit.so
>>> session         sufficient      /usr/local/lib/pam_ldap.so no_warn
>>> try_first_pass
>>>
>>> # password
>>> #password       sufficient      pam_krb5.so             no_warn
>>> try_first_pass
>>> password        required        pam_unix.so             no_warn
>>> try_first_pass
>>> #password         required      /usr/local/lib/pam_ldap.so no_warn
>>> try_first_pass
>>>
>>>
>>> Also try:
>>>
>>> $ grep -i debug /usr/local/etc/ldap.conf
>>> #debug 1
>>> $ grep -i debug /usr/local/etc/nss_ldap.conf
>>> #debug 1
>>>
>>>
>>> Higher levels for fun.
>>>
>>> ~BAS
>>>
>>>
>>> On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:
>>>> Hello
>>>>
>>>> I can't get a working sshd access using pam_ldap and nss_ldap
>>>>
>>>> /etc/nsswitch.conf is OK
>>>>
>>>> but I'm having difficulties to configure pam_ldap for a ssh access
>>>> on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
>>>> the /etc/pam.d/sshd file but haven't any success (sigh!)
>>>>
>>>> Anyone could helps ?
>>>>
>>>> Thanks a lot !
>>>>
>>>>
>>>> _______________________________________________
>>>> freebsd-questions at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list