lists.arthurdejong.org
RSS feed

Re: sshd/pam access for users in ldap - "Access denied for this service"

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: sshd/pam access for users in ldap - "Access denied for this service"



Up until recently, there was a bug in nssov.  The bug exists up through
OpenLDAP 2.4.21.  It is currently fixed in the OpenLDAP CVS.  If you
want, you can get the OpenLDAP CVS and copy the nssov directory from it
into the nssov directory of release 2.4.21 - they're currently
compatible.

Chris Breneman

On Tue, 2010-03-09 at 21:41 -0500, ben thielsen wrote:
> hi-
> 
> i'm experimenting with nss-pam-ldapd in concert with the slapd nnsov overlay, 
> and having a bit of trouble getting my pam configuration to work right.  the 
> nss side of things appears to be working well (things like getent, id, etc 
> all return data from ldap), and the pam side of things seems to work to some 
> extent, but if i'm correctly interpreting things, fails at the "account" 
> stage of the process when logging in via ssh.  currently, i've tried to 
> configure the pam sshd settings for ldap only, in hopes of isolating things.  
> the behavior differs a bit when using the correct password vs. an incorrect 
> password, which gives me the impression that things are partially working.  
> i'm using version nss-pam-ldapd 0.7.3 and slapd 2.4.18 on ubuntu 9.10.  below 
> is debug output from ssh (two sets, comparing correct password with 
> intentionally wrong password), and my sshd pam config.  i'm hoping someone 
> might be able to help point me in the right direction.
> 
> thanks
> -ben
> 
> #>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd 
> auth          required                        pam_env.so # [1]
> auth          required                        pam_env.so 
> envfile=/etc/default/locale
> auth          [success=1 default=ignore]      pam_ldap.so #use_first_pass
> auth          requisite                       pam_deny.so
> auth          required                        pam_permit.so
> account               required                        pam_nologin.so
> account               [success=1 default=ignore]      pam_ldap.so
> account               requisite                       pam_deny.so
> account               required                        pam_permit.so
> session               [default=1]                     pam_permit.so
> session               requisite                       pam_deny.so
> session               required                        pam_permit.so
> session               required                        pam_unix.so
> session               optional                        pam_ldap.so no_warn
> session               optional                        pam_motd.so # [1]
> session               optional                        pam_mail.so standard 
> noenv # [1]
> session               required                        pam_limits.so
> password        required                        pam_passwdqc.so 
> min=disabled,16,12,7,6 max=256
> password        [success=2 default=ignore]      pam_unix.so obscure md5
> password        [success=1 user_unknown=ignore default=die]     pam_ldap.so 
> use_authtok try_first_pass
> password        requisite                       pam_deny.so
> password        required                        pam_permit.so
> 
> 
> sshd -Dddd output (when correct password is used):
> 
> debug1: userauth-request for user flash service ssh-connection method password
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 12
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 11
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug1: PAM: password authentication accepted for flash
> debug3: mm_answer_authpassword: sending result 1
> debug3: mm_request_send entering: type 12
> debug3: mm_request_receive_expect entering: type 49
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user authenticated
> debug3: mm_do_pam_account entering
> debug3: mm_request_send entering: type 49
> debug3: mm_request_receive_expect entering: type 50
> debug3: mm_request_receive entering
> debug1: do_pam_account: called
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
> debug3: mm_request_send entering: type 50
> Failed password for flash from 192.168.1.123 port 65166 ssh2
> debug3: mm_request_receive entering
> debug3: mm_do_pam_account returning 0
> debug1: userauth_send_banner: sent
> Access denied for user flash by PAM account configuration
> debug1: do_cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> 
> ssh client output (when correct password is used):
> 
> >ssh flash@under
> flash@under's password: 
> Access denied for this service
> Connection closed by 192.168.1.1
> 
> 
> sshd -Dddd output (when incorrect password is used):
> 
> debug1: userauth-request for user flash service ssh-connection method password
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 12
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 11
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug1: PAM: password authentication failed for flash: Authentication failure
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 12
> Failed password for flash from 192.168.1.123 port 65170 ssh2
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> Connection closed by 192.168.1.123
> debug1: do_cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> 
> ssh client output (when incorrect password is used):
> 
> #>ssh flash@under
> flash@under's password: 
> Permission denied, please try again.
> flash@under's password:
> 


--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users