Conflict between LDAP and Privilege Separation?

Tim Rice tim at multitalents.net
Tue Aug 30 08:08:07 EST 2005


On Mon, 29 Aug 2005, Lets Go Canes wrote:

> Hi all.
> 
> > Try running sshd -ddd and see if the debug output sheds any light.
> 
> Thank you for the suggestion.
> 
> The sshd side appears to just see the child go away:
> 
[snip]
> Last login: Mon Aug 29 16:27:54 2005 from xyzzy.plugh.c
> debug3: PAM session not opened, exiting
> Connection to ssh-host closed.
> debug1: Transferred: stdin 0, stdout 102, stderr 31 bytes in 0.0
> seconds
> debug1: Bytes per second: stdin 0.0, stdout 5185.8, stderr 1576.1
> debug1: Exit status 254
> [...]
> 
> Note the message:  debug3: PAM session not opened, exiting
> 
> I am also seeing in /var/adm/messages:
> 
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error]
> open_module: stat(/lib/security/pam_limits.so) failed: No such file or
> directory

Looks like a PAM configuration problem.

What does your /etc/pam.conf look like?

> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error]
> load_modules: can not open module /lib/security/pam_limits.so
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 800047 auth.error] error:
> PAM: pam_open_session(): Dlopen failure
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error]
> open_module: stat(/lib/security/pam_nologin.so) failed: No such file or
> directory
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error]
> load_modules: can not open module /lib/security/pam_nologin.so
> 
> Note the "pam_open_session(): Dlopen failure"
> 
> I get the same behavior from multiple accounts (using different shells
> and skeleton files).
> 
> I can work-around the problem by disabling either PAM and/or PrivSep
> in sshd_config, but in my production environment PAM support will be
> required, and PrivilegeSeparation is viewed as highly desirable.
> 
> 
> --------------
> Lets Go Canes!
> 

Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net





More information about the openssh-unix-dev mailing list