Re: sshd/pam access for users in ldap - "Access denied for this service"
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: sshd/pam access for users in ldap - "Access denied for this service"
- From: ben thielsen <btb [at] bitrate.net>
- To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: sshd/pam access for users in ldap - "Access denied for this service"
- Date: Sun, 27 Jun 2010 00:29:46 -0400
to offer some closure for this topic -
i've sorted out my remaining issues - ultimately, after building the nssov
overlay from head, there were acl issues which were allowing my test user to
perform the compare operation on the authorizedservice attribute when i wasn't
expecting it.
i'm using the ubuntu slapd 2.4.21 package, along with the nssov overlay built
from from cvs head. alternating between the two versions of the overlay
confirmed the issues regarding pam and it's account config existed in 2.4.21,
and are fixed in cvs head (at least as of 2010.05.09, when i built it). i'm
using the 0.7.6 nss-pam-ldapd stub libraries.
regards
-ben
On May 09, 2010, at 21.23, ben thielsen wrote:
> after being sidetracked for a bit, i've had a chance to revisit this - thanks
> for the suggestion. i was able to successfully build the nssov overlay form
> head with 2.4.21 as you suggest, and it appears to function, but i'm still
> seeing the same behavior. where can i look next?
>
> -ben
>
> On Mar 09, 2010, at 23.59, Chris Breneman wrote:
>
>> Up until recently, there was a bug in nssov. The bug exists up through
>> OpenLDAP 2.4.21. It is currently fixed in the OpenLDAP CVS. If you
>> want, you can get the OpenLDAP CVS and copy the nssov directory from it
>> into the nssov directory of release 2.4.21 - they're currently
>> compatible.
>>
>> Chris Breneman
>>
>> On Tue, 2010-03-09 at 21:41 -0500, ben thielsen wrote:
>>> hi-
>>>
>>> i'm experimenting with nss-pam-ldapd in concert with the slapd nnsov
>>> overlay, and having a bit of trouble getting my pam configuration to work
>>> right. the nss side of things appears to be working well (things like
>>> getent, id, etc all return data from ldap), and the pam side of things
>>> seems to work to some extent, but if i'm correctly interpreting things,
>>> fails at the "account" stage of the process when logging in via ssh.
>>> currently, i've tried to configure the pam sshd settings for ldap only, in
>>> hopes of isolating things. the behavior differs a bit when using the
>>> correct password vs. an incorrect password, which gives me the impression
>>> that things are partially working. i'm using version nss-pam-ldapd 0.7.3
>>> and slapd 2.4.18 on ubuntu 9.10. below is debug output from ssh (two sets,
>>> comparing correct password with intentionally wrong password), and my sshd
>>> pam config. i'm hoping someone might be able to help point me in the right
>>> direction.
>>>
>>> thanks
>>> -ben
>>>
>>> #>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
>>> auth required pam_env.so # [1]
>>> auth required pam_env.so
>>> envfile=/etc/default/locale
>>> auth [success=1 default=ignore] pam_ldap.so
>>> #use_first_pass
>>> auth requisite pam_deny.so
>>> auth required pam_permit.so
>>> account required pam_nologin.so
>>> account [success=1 default=ignore] pam_ldap.so
>>> account requisite pam_deny.so
>>> account required pam_permit.so
>>> session [default=1] pam_permit.so
>>> session requisite pam_deny.so
>>> session required pam_permit.so
>>> session required pam_unix.so
>>> session optional pam_ldap.so no_warn
>>> session optional pam_motd.so # [1]
>>> session optional pam_mail.so standard
>>> noenv # [1]
>>> session required pam_limits.so
>>> password required pam_passwdqc.so
>>> min=disabled,16,12,7,6 max=256
>>> password [success=2 default=ignore] pam_unix.so obscure md5
>>> password [success=1 user_unknown=ignore default=die] pam_ldap.so
>>> use_authtok try_first_pass
>>> password requisite pam_deny.so
>>> password required pam_permit.so
>>>
>>>
>>> sshd -Dddd output (when correct password is used):
>>>
>>> debug1: userauth-request for user flash service ssh-connection method
>>> password
>>> debug1: attempt 1 failures 0
>>> debug2: input_userauth_request: try method password
>>> debug3: mm_auth_password entering
>>> debug3: mm_request_send entering: type 11
>>> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
>>> debug3: mm_request_receive_expect entering: type 12
>>> debug3: mm_request_receive entering
>>> debug3: monitor_read: checking request 11
>>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>>> debug1: PAM: password authentication accepted for flash
>>> debug3: mm_answer_authpassword: sending result 1
>>> debug3: mm_request_send entering: type 12
>>> debug3: mm_request_receive_expect entering: type 49
>>> debug3: mm_request_receive entering
>>> debug3: mm_auth_password: user authenticated
>>> debug3: mm_do_pam_account entering
>>> debug3: mm_request_send entering: type 49
>>> debug3: mm_request_receive_expect entering: type 50
>>> debug3: mm_request_receive entering
>>> debug1: do_pam_account: called
>>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>>> debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
>>> debug3: mm_request_send entering: type 50
>>> Failed password for flash from 192.168.1.123 port 65166 ssh2
>>> debug3: mm_request_receive entering
>>> debug3: mm_do_pam_account returning 0
>>> debug1: userauth_send_banner: sent
>>> Access denied for user flash by PAM account configuration
>>> debug1: do_cleanup
>>> debug3: PAM: sshpam_thread_cleanup entering
>>> debug1: do_cleanup
>>> debug1: PAM: cleanup
>>> debug3: PAM: sshpam_thread_cleanup entering
>>>
>>> ssh client output (when correct password is used):
>>>
>>>> ssh flash@under
>>> flash@under's password:
>>> Access denied for this service
>>> Connection closed by 192.168.1.1
>>>
>>>
>>> sshd -Dddd output (when incorrect password is used):
>>>
>>> debug1: userauth-request for user flash service ssh-connection method
>>> password
>>> debug1: attempt 1 failures 0
>>> debug2: input_userauth_request: try method password
>>> debug3: mm_auth_password entering
>>> debug3: mm_request_send entering: type 11
>>> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
>>> debug3: mm_request_receive_expect entering: type 12
>>> debug3: mm_request_receive entering
>>> debug3: monitor_read: checking request 11
>>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>>> debug1: PAM: password authentication failed for flash: Authentication
>>> failure
>>> debug3: mm_answer_authpassword: sending result 0
>>> debug3: mm_request_send entering: type 12
>>> Failed password for flash from 192.168.1.123 port 65170 ssh2
>>> debug3: mm_request_receive entering
>>> debug3: mm_auth_password: user not authenticated
>>> Connection closed by 192.168.1.123
>>> debug1: do_cleanup
>>> debug3: PAM: sshpam_thread_cleanup entering
>>> debug1: do_cleanup
>>> debug1: PAM: cleanup
>>> debug3: PAM: sshpam_thread_cleanup entering
>>>
>>> ssh client output (when incorrect password is used):
>>>
>>> #>ssh flash@under
>>> flash@under's password:
>>> Permission denied, please try again.
>>> flash@under's password:
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users