Conflict between LDAP and Privilege Separation?
Tim Rice
tim at multitalents.net
Tue Aug 30 08:08:07 EST 2005
On Mon, 29 Aug 2005, Lets Go Canes wrote:
> Hi all.
>
> > Try running sshd -ddd and see if the debug output sheds any light.
>
> Thank you for the suggestion.
>
> The sshd side appears to just see the child go away:
>
[snip]
> Last login: Mon Aug 29 16:27:54 2005 from xyzzy.plugh.c
> debug3: PAM session not opened, exiting
> Connection to ssh-host closed.
> debug1: Transferred: stdin 0, stdout 102, stderr 31 bytes in 0.0
> seconds
> debug1: Bytes per second: stdin 0.0, stdout 5185.8, stderr 1576.1
> debug1: Exit status 254
> [...]
>
> Note the message: debug3: PAM session not opened, exiting
>
> I am also seeing in /var/adm/messages:
>
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error]
> open_module: stat(/lib/security/pam_limits.so) failed: No such file or
> directory
Looks like a PAM configuration problem.
What does your /etc/pam.conf look like?
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error]
> load_modules: can not open module /lib/security/pam_limits.so
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 800047 auth.error] error:
> PAM: pam_open_session(): Dlopen failure
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error]
> open_module: stat(/lib/security/pam_nologin.so) failed: No such file or
> directory
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error]
> load_modules: can not open module /lib/security/pam_nologin.so
>
> Note the "pam_open_session(): Dlopen failure"
>
> I get the same behavior from multiple accounts (using different shells
> and skeleton files).
>
> I can work-around the problem by disabling either PAM and/or PrivSep
> in sshd_config, but in my production environment PAM support will be
> required, and PrivilegeSeparation is viewed as highly desirable.
>
>
> --------------
> Lets Go Canes!
>
Tim Rice Multitalents (707) 887-1469
tim at multitalents.net
More information about the openssh-unix-dev
mailing list