lists.arthurdejong.org
RSS feed

Re: sshd/pam access for users in ldap - "Access denied for this service"

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: sshd/pam access for users in ldap - "Access denied for this service"

to offer some closure for this topic -

i've sorted out my remaining issues - ultimately, after building the nssov 
overlay from head, there were acl issues which were allowing my test user to 
perform the compare operation on the authorizedservice attribute when i wasn't 
expecting it.

i'm using the ubuntu slapd 2.4.21 package, along with the nssov overlay built 
from from cvs head.  alternating between the two versions of the overlay 
confirmed the issues regarding pam and it's account config existed in 2.4.21, 
and are fixed in cvs head (at least as of 2010.05.09, when i built it).  i'm 
using the 0.7.6 nss-pam-ldapd stub libraries.

regards
-ben

On May 09, 2010, at 21.23, ben thielsen wrote:

> after being sidetracked for a bit, i've had a chance to revisit this - thanks 
> for the suggestion.  i was able to successfully build the nssov overlay form 
> head with 2.4.21 as you suggest, and it appears to function, but i'm still 
> seeing the same behavior.  where can i look next?
> 
> -ben
> 
> On Mar 09, 2010, at 23.59, Chris Breneman wrote:
> 
>> Up until recently, there was a bug in nssov.  The bug exists up through
>> OpenLDAP 2.4.21.  It is currently fixed in the OpenLDAP CVS.  If you
>> want, you can get the OpenLDAP CVS and copy the nssov directory from it
>> into the nssov directory of release 2.4.21 - they're currently
>> compatible.
>> 
>> Chris Breneman
>> 
>> On Tue, 2010-03-09 at 21:41 -0500, ben thielsen wrote:
>>> hi-
>>> 
>>> i'm experimenting with nss-pam-ldapd in concert with the slapd nnsov 
>>> overlay, and having a bit of trouble getting my pam configuration to work 
>>> right.  the nss side of things appears to be working well (things like 
>>> getent, id, etc all return data from ldap), and the pam side of things 
>>> seems to work to some extent, but if i'm correctly interpreting things, 
>>> fails at the "account" stage of the process when logging in via ssh.  
>>> currently, i've tried to configure the pam sshd settings for ldap only, in 
>>> hopes of isolating things.  the behavior differs a bit when using the 
>>> correct password vs. an incorrect password, which gives me the impression 
>>> that things are partially working.  i'm using version nss-pam-ldapd 0.7.3 
>>> and slapd 2.4.18 on ubuntu 9.10.  below is debug output from ssh (two sets, 
>>> comparing correct password with intentionally wrong password), and my sshd 
>>> pam config.  i'm hoping someone might be able to help point me in the right 
>>> direction.
>>> 
>>> thanks
>>> -ben
>>> 
>>> #>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd 
>>> auth                required                        pam_env.so # [1]
>>> auth                required                        pam_env.so 
>>> envfile=/etc/default/locale
>>> auth                [success=1 default=ignore]      pam_ldap.so 
>>> #use_first_pass
>>> auth                requisite                       pam_deny.so
>>> auth                required                        pam_permit.so
>>> account             required                        pam_nologin.so
>>> account             [success=1 default=ignore]      pam_ldap.so
>>> account             requisite                       pam_deny.so
>>> account             required                        pam_permit.so
>>> session             [default=1]                     pam_permit.so
>>> session             requisite                       pam_deny.so
>>> session             required                        pam_permit.so
>>> session             required                        pam_unix.so
>>> session             optional                        pam_ldap.so no_warn
>>> session             optional                        pam_motd.so # [1]
>>> session             optional                        pam_mail.so standard 
>>> noenv # [1]
>>> session             required                        pam_limits.so
>>> password        required                        pam_passwdqc.so 
>>> min=disabled,16,12,7,6 max=256
>>> password        [success=2 default=ignore]      pam_unix.so obscure md5
>>> password        [success=1 user_unknown=ignore default=die]     pam_ldap.so 
>>> use_authtok try_first_pass
>>> password        requisite                       pam_deny.so
>>> password        required                        pam_permit.so
>>> 
>>> 
>>> sshd -Dddd output (when correct password is used):
>>> 
>>> debug1: userauth-request for user flash service ssh-connection method 
>>> password
>>> debug1: attempt 1 failures 0
>>> debug2: input_userauth_request: try method password
>>> debug3: mm_auth_password entering
>>> debug3: mm_request_send entering: type 11
>>> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
>>> debug3: mm_request_receive_expect entering: type 12
>>> debug3: mm_request_receive entering
>>> debug3: monitor_read: checking request 11
>>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>>> debug1: PAM: password authentication accepted for flash
>>> debug3: mm_answer_authpassword: sending result 1
>>> debug3: mm_request_send entering: type 12
>>> debug3: mm_request_receive_expect entering: type 49
>>> debug3: mm_request_receive entering
>>> debug3: mm_auth_password: user authenticated
>>> debug3: mm_do_pam_account entering
>>> debug3: mm_request_send entering: type 49
>>> debug3: mm_request_receive_expect entering: type 50
>>> debug3: mm_request_receive entering
>>> debug1: do_pam_account: called
>>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>>> debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
>>> debug3: mm_request_send entering: type 50
>>> Failed password for flash from 192.168.1.123 port 65166 ssh2
>>> debug3: mm_request_receive entering
>>> debug3: mm_do_pam_account returning 0
>>> debug1: userauth_send_banner: sent
>>> Access denied for user flash by PAM account configuration
>>> debug1: do_cleanup
>>> debug3: PAM: sshpam_thread_cleanup entering
>>> debug1: do_cleanup
>>> debug1: PAM: cleanup
>>> debug3: PAM: sshpam_thread_cleanup entering
>>> 
>>> ssh client output (when correct password is used):
>>> 
>>>> ssh flash@under
>>> flash@under's password: 
>>> Access denied for this service
>>> Connection closed by 192.168.1.1
>>> 
>>> 
>>> sshd -Dddd output (when incorrect password is used):
>>> 
>>> debug1: userauth-request for user flash service ssh-connection method 
>>> password
>>> debug1: attempt 1 failures 0
>>> debug2: input_userauth_request: try method password
>>> debug3: mm_auth_password entering
>>> debug3: mm_request_send entering: type 11
>>> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
>>> debug3: mm_request_receive_expect entering: type 12
>>> debug3: mm_request_receive entering
>>> debug3: monitor_read: checking request 11
>>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>>> debug1: PAM: password authentication failed for flash: Authentication 
>>> failure
>>> debug3: mm_answer_authpassword: sending result 0
>>> debug3: mm_request_send entering: type 12
>>> Failed password for flash from 192.168.1.123 port 65170 ssh2
>>> debug3: mm_request_receive entering
>>> debug3: mm_auth_password: user not authenticated
>>> Connection closed by 192.168.1.123
>>> debug1: do_cleanup
>>> debug3: PAM: sshpam_thread_cleanup entering
>>> debug1: do_cleanup
>>> debug1: PAM: cleanup
>>> debug3: PAM: sshpam_thread_cleanup entering
>>> 
>>> ssh client output (when incorrect password is used):
>>> 
>>> #>ssh flash@under
>>> flash@under's password: 
>>> Permission denied, please try again.
>>> flash@under's password:
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users