OpenSSH3.0p1/PAM/Sol8
Ed Phillips
ed at UDel.Edu
Fri Nov 9 05:16:53 EST 2001
Can you try adding the "debug" option to the sshd lines in /etc/pam.conf?
Also, make sure syslogd is gathering the messages for auth.err, auth.info,
auth.debug, auth.alert, and auth.crit. Maybe something will show up in
the logs to pinpoint where pam_sm_chauthtok() is failing. It's odd,
because it should never return -1 - only valid PAM_XXXX error codes (which
are >= 0), according to "man pam_sm_chauthtok". Strange...
Ed
On Thu, 8 Nov 2001, Dost, Alexander wrote:
> Date: Thu, 8 Nov 2001 18:47:01 +0100
> From: "Dost, Alexander" <Alexander.Dost at drkw.com>
> To: 'Ed Phillips' <ed at UDel.Edu>
> Cc: openssh-unix-dev at mindrot.org
> Subject: RE: OpenSSH3.0p1/PAM/Sol8
>
> Yes, I get the error messages (illegal option shadow/nodelay).
> I removed the entry and, as you said, they are just ignored, nothing
> changed.
> One additional piece of information: If I use NIS+ for password
> authentication/changing, all works fine.
>
> Alex
>
> #
> # /etc/nsswitch.files:
> #
> # An example file that could be copied over to /etc/nsswitch.conf; it
> # does not use any naming service.
> #
> # "hosts:" and "services:" in this file are used only if the
> # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
>
> passwd: files
> group: files
> hosts: dns files
> ipnodes: files
> networks: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> bootparams: files
> publickey: files
> # At present there isn't a 'files' backend for netgroup; the system will
> # figure it out pretty quickly, and won't use netgroups at all.
> netgroup: files
> automount: files
> aliases: files
> services: files
> sendmailvars: files
> printers: user files
>
> auth_attr: files
> prof_attr: files
> project: files
>
> > -----Original Message-----
> > From: Ed Phillips [SMTP:ed at UDel.Edu]
> > Sent: Thursday, November 08, 2001 18:34
> > To: Dost, Alexander
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: RE: OpenSSH3.0p1/PAM/Sol8
> >
> > On Thu, 8 Nov 2001, Dost, Alexander wrote:
> >
> > > Date: Thu, 8 Nov 2001 18:01:52 +0100
> > > From: "Dost, Alexander" <Alexander.Dost at drkw.com>
> > > To: 'Ed Phillips' <ed at UDel.Edu>
> > > Cc: openssh-unix-dev at mindrot.org
> > > Subject: RE: OpenSSH3.0p1/PAM/Sol8
> > >
> > > I imported the example from the contrib directory for generic unix.
> > > sshd is running as root.
> > >
> > > Alex
> > >
> > > pam.conf:
> > > #
> > > #ident "@(#)pam.conf 1.16 01/01/24 SMI"
> > > #
> > > # Copyright (c) 1996-2000 by Sun Microsystems, Inc.
> > > # All rights reserved.
> > > #
> > > # PAM configuration
> > > #
> > > # Authentication management
> > > #
> > > login auth required /usr/lib/security/$ISA/pam_unix.so.1
> > > login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1
> > > sshd auth required /usr/lib/security/$ISA/pam_unix.so shadow
> > nodelay
> >
> > Not that it matters, but "shadow" and "nodelay" are not arguments that are
> > recognized by pam_unix.so.1 according to "man pam_unix".
> >
> > > #
> > > rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > > rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
> > > #
> > > dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
> > > #
> > > rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
> > > other auth required /usr/lib/security/$ISA/pam_unix.so.1
> > > #
> > > # Account management
> > > #
> > > login account requisite
> > /usr/lib/security/$ISA/pam_roles.so.1
> > > login account required
> > /usr/lib/security/$ISA/pam_projects.so.1
> > > login account required /usr/lib/security/$ISA/pam_unix.so.1
> > > sshd account required /usr/lib/security/$ISA/pam_unix.so.1
> >
> > Looks fine.
> >
> > > #
> > > dtlogin account requisite
> > /usr/lib/security/$ISA/pam_roles.so.1
> > > dtlogin account required
> > /usr/lib/security/$ISA/pam_projects.so.1
> > > dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
> > > #
> > > other account requisite
> > /usr/lib/security/$ISA/pam_roles.so.1
> > > other account required
> > /usr/lib/security/$ISA/pam_projects.so.1
> > > other account required /usr/lib/security/$ISA/pam_unix.so.1
> > > #
> > > # Session management
> > > #
> > > sshd session required /usr/lib/security/$ISA/pam_unix.so.1
> >
> > Looks fine.
> >
> > > other session required /usr/lib/security/$ISA/pam_unix.so.1
> > > #
> > > # Password management
> > > #
> > > sshd password required /usr/lib/security/$ISA/pam_unix.so
> > shadow
> > > nullok use_authtok
> >
> > Again, these are not supported arguments according to "man pam_unix".
> > However, they should just be ignored. You should get syslog messages to
> > auth.err about these options though. Did you see any?
> >
> > > other password required /usr/lib/security/$ISA/pam_unix.so.1
> > > dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
> > > #
> > > # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> >
> > Hmmmm... what does your /etc/nsswitch.conf file look like?
> >
> > Ed
> >
> > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> > Systems Programmer III, Network and Systems Services
> > finger -l ed at polycut.nss.udel.edu for PGP public key
>
>
> If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to
> http://www.drkw.com/disc/email/ or contact the sender.
>
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list