OpenSSH3.0p1/PAM/Sol8

Ed Phillips ed at UDel.Edu
Fri Nov 9 04:33:44 EST 2001 

On Thu, 8 Nov 2001, Dost, Alexander wrote:

> Date: Thu, 8 Nov 2001 18:01:52 +0100
> From: "Dost, Alexander" <Alexander.Dost at drkw.com>
> To: 'Ed Phillips' <ed at UDel.Edu>
> Cc: openssh-unix-dev at mindrot.org
> Subject: RE: OpenSSH3.0p1/PAM/Sol8
>
> I imported the example from the contrib directory for generic unix.
> sshd is running as root.
>
> Alex
>
> pam.conf:
> #
> #ident	"@(#)pam.conf	1.16	01/01/24 SMI"
> #
> # Copyright (c) 1996-2000 by Sun Microsystems, Inc.
> # All rights reserved.
> #
> # PAM configuration
> #
> # Authentication management
> #
> login	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> login	auth required 	/usr/lib/security/$ISA/pam_dial_auth.so.1
> sshd	auth required	/usr/lib/security/$ISA/pam_unix.so shadow nodelay

Not that it matters, but "shadow" and "nodelay" are not arguments that are
recognized by pam_unix.so.1 according to "man pam_unix".

> #
> rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> rlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> #
> dtlogin	auth required 	/usr/lib/security/$ISA/pam_unix.so.1
> #
> rsh	auth required	/usr/lib/security/$ISA/pam_rhosts_auth.so.1
> other	auth required	/usr/lib/security/$ISA/pam_unix.so.1
> #
> # Account management
> #
> login	account requisite	/usr/lib/security/$ISA/pam_roles.so.1
> login	account	required	/usr/lib/security/$ISA/pam_projects.so.1
> login	account required	/usr/lib/security/$ISA/pam_unix.so.1
> sshd	account required	/usr/lib/security/$ISA/pam_unix.so.1

Looks fine.

> #
> dtlogin	account requisite	/usr/lib/security/$ISA/pam_roles.so.1
> dtlogin	account	required	/usr/lib/security/$ISA/pam_projects.so.1
> dtlogin	account required	/usr/lib/security/$ISA/pam_unix.so.1
> #
> other	account requisite	/usr/lib/security/$ISA/pam_roles.so.1
> other	account	required	/usr/lib/security/$ISA/pam_projects.so.1
> other	account required	/usr/lib/security/$ISA/pam_unix.so.1
> #
> # Session management
> #
> sshd	session	required	/usr/lib/security/$ISA/pam_unix.so.1

Looks fine.

> other	session required	/usr/lib/security/$ISA/pam_unix.so.1
> #
> # Password management
> #
> sshd	password required	/usr/lib/security/$ISA/pam_unix.so shadow
> nullok use_authtok

Again, these are not supported arguments according to "man pam_unix".
However, they should just be ignored.  You should get syslog messages to
auth.err about these options though.  Did you see any?

> other	password required	/usr/lib/security/$ISA/pam_unix.so.1
> dtsession auth required	/usr/lib/security/$ISA/pam_unix.so.1
> #
> # Support for Kerberos V5 authentication (uncomment to use Kerberos)

Hmmmm... what does your /etc/nsswitch.conf file look like?

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the openssh-unix-dev mailing list