Re: sshd/pam access for users in ldap - "Access denied for this service"
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: sshd/pam access for users in ldap - "Access denied for this service"
- From: Chris Breneman <crispy [at] cluenet.org>
- To: ben thielsen <btb [at] bitrate.net>
- Cc: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: sshd/pam access for users in ldap - "Access denied for this service"
- Date: Tue, 09 Mar 2010 22:59:04 -0600
Up until recently, there was a bug in nssov. The bug exists up through
OpenLDAP 2.4.21. It is currently fixed in the OpenLDAP CVS. If you
want, you can get the OpenLDAP CVS and copy the nssov directory from it
into the nssov directory of release 2.4.21 - they're currently
compatible.
Chris Breneman
On Tue, 2010-03-09 at 21:41 -0500, ben thielsen wrote:
> hi-
>
> i'm experimenting with nss-pam-ldapd in concert with the slapd nnsov overlay,
> and having a bit of trouble getting my pam configuration to work right. the
> nss side of things appears to be working well (things like getent, id, etc
> all return data from ldap), and the pam side of things seems to work to some
> extent, but if i'm correctly interpreting things, fails at the "account"
> stage of the process when logging in via ssh. currently, i've tried to
> configure the pam sshd settings for ldap only, in hopes of isolating things.
> the behavior differs a bit when using the correct password vs. an incorrect
> password, which gives me the impression that things are partially working.
> i'm using version nss-pam-ldapd 0.7.3 and slapd 2.4.18 on ubuntu 9.10. below
> is debug output from ssh (two sets, comparing correct password with
> intentionally wrong password), and my sshd pam config. i'm hoping someone
> might be able to help point me in the right direction.
>
> thanks
> -ben
>
> #>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
> auth required pam_env.so # [1]
> auth required pam_env.so
> envfile=/etc/default/locale
> auth [success=1 default=ignore] pam_ldap.so #use_first_pass
> auth requisite pam_deny.so
> auth required pam_permit.so
> account required pam_nologin.so
> account [success=1 default=ignore] pam_ldap.so
> account requisite pam_deny.so
> account required pam_permit.so
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session required pam_unix.so
> session optional pam_ldap.so no_warn
> session optional pam_motd.so # [1]
> session optional pam_mail.so standard
> noenv # [1]
> session required pam_limits.so
> password required pam_passwdqc.so
> min=disabled,16,12,7,6 max=256
> password [success=2 default=ignore] pam_unix.so obscure md5
> password [success=1 user_unknown=ignore default=die] pam_ldap.so
> use_authtok try_first_pass
> password requisite pam_deny.so
> password required pam_permit.so
>
>
> sshd -Dddd output (when correct password is used):
>
> debug1: userauth-request for user flash service ssh-connection method password
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 12
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 11
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug1: PAM: password authentication accepted for flash
> debug3: mm_answer_authpassword: sending result 1
> debug3: mm_request_send entering: type 12
> debug3: mm_request_receive_expect entering: type 49
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user authenticated
> debug3: mm_do_pam_account entering
> debug3: mm_request_send entering: type 49
> debug3: mm_request_receive_expect entering: type 50
> debug3: mm_request_receive entering
> debug1: do_pam_account: called
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
> debug3: mm_request_send entering: type 50
> Failed password for flash from 192.168.1.123 port 65166 ssh2
> debug3: mm_request_receive entering
> debug3: mm_do_pam_account returning 0
> debug1: userauth_send_banner: sent
> Access denied for user flash by PAM account configuration
> debug1: do_cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug3: PAM: sshpam_thread_cleanup entering
>
> ssh client output (when correct password is used):
>
> >ssh flash@under
> flash@under's password:
> Access denied for this service
> Connection closed by 192.168.1.1
>
>
> sshd -Dddd output (when incorrect password is used):
>
> debug1: userauth-request for user flash service ssh-connection method password
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 12
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 11
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug1: PAM: password authentication failed for flash: Authentication failure
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 12
> Failed password for flash from 192.168.1.123 port 65170 ssh2
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> Connection closed by 192.168.1.123
> debug1: do_cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug3: PAM: sshpam_thread_cleanup entering
>
> ssh client output (when incorrect password is used):
>
> #>ssh flash@under
> flash@under's password:
> Permission denied, please try again.
> flash@under's password:
>
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
