[gentoo-dev] SSH, PAM, and LDAP

[gentoo-dev] SSH, PAM, and LDAP

[Mark Bainter]

Ok, I have recently gotten LDAP working for most of the stuff I want it to do,
and proceeded to move authentication to it.  In doing so I have discovered that
OpenSSH does not play nice with PAM + LDAP.  

>From what I have gathered from preliminary google digging is that the
priviledge seperation rewrite broke PAM pretty severely.  None of the password
expiry stuff works anymore, and neither does the create home dirs option.

I've already tried simply disabling the PrivSep stuff, but the problem goes
deeper than that, so it doesn't help.  Everything else (telnet/ftp/etc) works
fine, it's only ssh that's giving me fits.

I'm sure I'm not the only one with a setup like this.  If someone else
on the list is running in a configuration of this nature and has gotten
ssh working, I'd appreciate a pointer to the information that got you past
this.

Thanks.

-- 
Treat root like a loaded gun. Don't pull it out unless you mean to use it.
If you mean to use it make sure you have a clear target and put it right
back in the holster as soon as you're done.

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SSH, PAM, and LDAP

[Ryan Henry [mailing list]]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am using ldap authentication with pam and ssh works fine.  I have not 
tested the password expiration stuff but I do have the create home 
directory working.  I also have priveledge separation turned off in my 
sshd_config.  To get this working I added this to /etc/pam.d/system-auth

auth       sufficient   /lib/security/pam_ldap.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
password   sufficient   /lib/security/pam_ldap.so use_authtok
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ 
umask=0077
session    optional      /lib/security/pam_ldap.so

Hope that helps,
- -Ryan

Mark Bainter wrote:

|Ok, I have recently gotten LDAP working for most of the stuff I want it 
to do,
|and proceeded to move authentication to it.  In doing so I have 
discovered that
|OpenSSH does not play nice with PAM + LDAP.  
|
|priviledge seperation rewrite broke PAM pretty severely.  None of the 
password
|expiry stuff works anymore, and neither does the create home dirs option.
|
|I've already tried simply disabling the PrivSep stuff, but the problem goes
|deeper than that, so it doesn't help.  Everything else (telnet/ftp/etc) 
works
|fine, it's only ssh that's giving me fits.
|
|I'm sure I'm not the only one with a setup like this.  If someone else
|on the list is running in a configuration of this nature and has gotten
|ssh working, I'd appreciate a pointer to the information that got you past
|this.
|
|Thanks.
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+pTvuduH5kxQ36MARAqFbAJ4zWinjU/sX1ip6a2ptfVXB3lzvggCdE+Ql
1WXs1YKSntuVW6p5Hn4nejw=
=0MTF
-----END PGP SIGNATURE-----



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SSH, PAM, and LDAP

[Mark Bainter]

Ryan Henry [mailing list] [ryan.henry.ml@EPSIIA.com] wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I am using ldap authentication with pam and ssh works fine.  I have not 
> tested the password expiration stuff but I do have the create home 
> directory working.  I also have priveledge separation turned off in my 
> sshd_config.  To get this working I added this to /etc/pam.d/system-auth
> 
> auth       sufficient   /lib/security/pam_ldap.so use_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> password   sufficient   /lib/security/pam_ldap.so use_authtok
> session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ 
> umask=0077
> session    optional      /lib/security/pam_ldap.so
> 

I wish it did.  That's essentially what I have, and I also have
priveledge seperation turned off.  Are you using the shadowAccount
objectClass or just posixAccount?

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SSH, PAM, and LDAP

[Grant Goodyear]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

I'm currently working on at least slightly revamping our openldap
ebuilds so that they aren't quite so broken.  For those of you who have
successfully installed openldap, what versions are you using?  Have you
found any notable bugs or problems (other than the ssh business, which I
haven't come close to looking at yet) that I need to address?

Thanks,
g2boojum
-- 
Grant Goodyear <g2boojum@gentoo.org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] SSH, PAM, and LDAP

[Mark Bainter]

Grant Goodyear [g2boojum@gentoo.org] wrote:
> I'm currently working on at least slightly revamping our openldap
> ebuilds so that they aren't quite so broken.  For those of you who have
> successfully installed openldap, what versions are you using?  Have you
> found any notable bugs or problems (other than the ssh business, which I
> haven't come close to looking at yet) that I need to address?
> 

I'm using the current released ebuild.  It works fine for me.
FYI, the problem with ssh is not ldap, it's ssh.  telnet, ftp,
etc all work just fine.  

The problem is that the changes for priviledge seperation in OpenSSH
broke the parts of PAM authentication that require root privileges
to work.  For example, dealing with shadow accounts (primarily 
surrounding expiry tests) and creating home directories.

There are several bug reports about this in openssh's bugzilla
already.  Hopefully they'll get around to fixing it one day.  I'm
still digging for a patch to fix this, and if I find one that
works (or write one) I'll pass it along to the openssh ebuild
maintainer.

-- 
The urge to save humanity is almost always only a false-face for the urge
to rule it.  
				--H.L. Mencken

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SSH, PAM, and LDAP

[Grant Goodyear]

[-- Attachment #1: Type: text/plain, Size: 383 bytes --]

On Tue, 2003-04-22 at 18:22, FRLinux wrote:
> Could that explain broken courier ebuilds, i've been working on these
> since a week now, and mine work fine whereas ebuilds with the same
> options fail on authentication.

Oh, dear.  I wish I knew; I'm still pretty new to ldap.  Please do file
a bug on it, if you would.

-g2boojum-
-- 
Grant Goodyear <g2boojum@gentoo.org>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]