lists.arthurdejong.org
RSS feed

sshd/pam access for users in ldap - "Access denied for this service"

[Date Prev][Date Next] [Thread Prev][Thread Next]

sshd/pam access for users in ldap - "Access denied for this service"

hi-

i'm experimenting with nss-pam-ldapd in concert with the slapd nnsov overlay, 
and having a bit of trouble getting my pam configuration to work right.  the 
nss side of things appears to be working well (things like getent, id, etc all 
return data from ldap), and the pam side of things seems to work to some 
extent, but if i'm correctly interpreting things, fails at the "account" stage 
of the process when logging in via ssh.  currently, i've tried to configure the 
pam sshd settings for ldap only, in hopes of isolating things.  the behavior 
differs a bit when using the correct password vs. an incorrect password, which 
gives me the impression that things are partially working.  i'm using version 
nss-pam-ldapd 0.7.3 and slapd 2.4.18 on ubuntu 9.10.  below is debug output 
from ssh (two sets, comparing correct password with intentionally wrong 
password), and my sshd pam config.  i'm hoping someone might be able to help 
point me in the right direction.

thanks
-ben

#>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd 
auth            required                        pam_env.so # [1]
auth            required                        pam_env.so 
envfile=/etc/default/locale
auth            [success=1 default=ignore]      pam_ldap.so #use_first_pass
auth            requisite                       pam_deny.so
auth            required                        pam_permit.so
account         required                        pam_nologin.so
account         [success=1 default=ignore]      pam_ldap.so
account         requisite                       pam_deny.so
account         required                        pam_permit.so
session         [default=1]                     pam_permit.so
session         requisite                       pam_deny.so
session         required                        pam_permit.so
session         required                        pam_unix.so
session         optional                        pam_ldap.so no_warn
session         optional                        pam_motd.so # [1]
session         optional                        pam_mail.so standard noenv # [1]
session         required                        pam_limits.so
password        required                        pam_passwdqc.so 
min=disabled,16,12,7,6 max=256
password        [success=2 default=ignore]      pam_unix.so obscure md5
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so 
use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so


sshd -Dddd output (when correct password is used):

debug1: userauth-request for user flash service ssh-connection method password
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 12
debug3: mm_request_receive entering
debug3: monitor_read: checking request 11
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for flash
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 12
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: mm_auth_password: user authenticated
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 49
debug3: mm_request_receive_expect entering: type 50
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
debug3: mm_request_send entering: type 50
Failed password for flash from 192.168.1.123 port 65166 ssh2
debug3: mm_request_receive entering
debug3: mm_do_pam_account returning 0
debug1: userauth_send_banner: sent
Access denied for user flash by PAM account configuration
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering

ssh client output (when correct password is used):

>ssh flash@under
flash@under's password: 
Access denied for this service
Connection closed by 192.168.1.1


sshd -Dddd output (when incorrect password is used):

debug1: userauth-request for user flash service ssh-connection method password
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 12
debug3: mm_request_receive entering
debug3: monitor_read: checking request 11
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication failed for flash: Authentication failure
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 12
Failed password for flash from 192.168.1.123 port 65170 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
Connection closed by 192.168.1.123
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering

ssh client output (when incorrect password is used):

#>ssh flash@under
flash@under's password: 
Permission denied, please try again.
flash@under's password:

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users