OpenSSH 4.3p2 on Solaris 10 and PAM
Bernd Nies
listuser at adnovum.ch
Mon Jul 10 23:02:02 EST 2006
Hi,
We have a Solaris 10 system that authanticates users against an LDAP
server with password management.
On port 22 runs Sun SSH 1.1. On port 2222 runs OpenSSH 4.3p2. OpenSSH
uses a configuration from a Linux system where login with password or
public key works.
Adittionally we have a customized PAM module that grants/revokes access
based upon an attribute setting in LDAP.
The PAM Configuration for Sun SSH 1.1 is:
==CUT==
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
sshd-password account required pam_mymodule.so.1
sshd-none account required pam_mymodule.so.1
sshd-kbdint account required pam_mymodule.so.1
sshd-pubkey account required pam_mymodule.so.1
sshd-hostbased account required pam_mymodule.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
==CUT==
This works fine with Sun SSH 1.1. Access is granted and revoked
correctly, even if the user has placed his public key in .ssh/authorized
keys.
Using OpenSSH 4.3p2 with the above configuration this PAM module never
gets executed. Login with password works but with public key
authentication fails with "connection closed" and the debug messages in
syslog:
==CUT==
debug1: fd 6 clearing O_NONBLOCK
debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 1
debug1: Forked child 1250.
debug1: inetd sockets after dupping: 5, 5
Connection from 192.168.1.123 port 58541
debug1: Client protocol version 2.0; client software version OpenSSH_4.2
debug1: match: OpenSSH_4.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: PAM: initializing for "user1"
debug1: PAM: setting PAM_RHOST to "host1.domain.tld"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 1468/1000 (e=0/0)
debug1: trying public key file /home/user1/.ssh/authorized_keys
debug1: matching key found: file /home/user1/.ssh/authorized_keys, line 1
Found matching RSA key: 33:dd:ee:66:cc:33:11:33:44:dd:55:ee:00:33:00:ff
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1468/1000 (e=0/0)
debug1: trying public key file /home/user1/.ssh/authorized_keys
debug1: matching key found: file /home/user1/.ssh/authorized_keys, line 1
Found matching RSA key: 33:dd:ee:66:cc:33:11:33:44:dd:55:ee:00:33:00:ff
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Failed publickey for noglera from 192.168.1.123 port 58541 ssh2
debug1: do_cleanup
debug1: PAM: cleanup
==CUT==
How is the correct PAM configuration for Solaris 10 and OpenSSH 4.3p2 so
that login with password or public key works?
How has an additional PAM module to be inserted to work with OpenSSH?
I found this PAM configuration:
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1 try_first_pass
sshd account required pam_unix_account.so.1
But with this config the password login of OpenSSH does not work. Only
public key login does work. This is because the LDAP UserPassword is not
readable. Authentication must be done with LDAP bind and not LDAP
search/compare.
Thanks in advance.
Regards,
Bernd
More information about the openssh-unix-dev
mailing list