OpenSSH 4.3p2 on Solaris 10 and PAM

Bernd Nies listuser at adnovum.ch
Mon Jul 10 23:02:02 EST 2006 

Hi,

We have a Solaris 10 system that authanticates users against an LDAP 
server with password management.

On port 22 runs Sun SSH 1.1. On port 2222 runs OpenSSH 4.3p2. OpenSSH 
uses a configuration from a Linux system where login with password or 
public key works.

Adittionally we have a customized PAM module that grants/revokes access 
based upon an attribute setting in LDAP.

The PAM Configuration for Sun SSH 1.1 is:

==CUT==
login   auth requisite        pam_authtok_get.so.1
login   auth required         pam_dhkeys.so.1
login   auth required         pam_unix_cred.so.1
login   auth required         pam_dial_auth.so.1
login   auth binding          pam_unix_auth.so.1 server_policy
login   auth required         pam_ldap.so.1

sshd-password   account required       pam_mymodule.so.1
sshd-none       account required       pam_mymodule.so.1
sshd-kbdint     account required       pam_mymodule.so.1
sshd-pubkey     account required       pam_mymodule.so.1
sshd-hostbased  account required       pam_mymodule.so.1

other   auth requisite        pam_authtok_get.so.1
other   auth required         pam_dhkeys.so.1
other   auth required         pam_unix_cred.so.1
other   auth binding          pam_unix_auth.so.1 server_policy
other   auth required         pam_ldap.so.1

passwd  auth binding          pam_passwd_auth.so.1 server_policy
passwd  auth required         pam_ldap.so.1

cron    account required      pam_unix_account.so.1

other   account requisite     pam_roles.so.1
other   account binding       pam_unix_account.so.1 server_policy
other   account required      pam_ldap.so.1
other   session required      pam_unix_session.so.1
other   password required     pam_dhkeys.so.1
other   password requisite    pam_authtok_get.so.1
other   password requisite    pam_authtok_check.so.1
other   password required     pam_authtok_store.so.1 server_policy
==CUT==

This works fine with Sun SSH 1.1. Access is granted and revoked 
correctly, even if the user has placed his public key in .ssh/authorized 
keys.

Using OpenSSH 4.3p2 with the above configuration this PAM module never 
gets executed. Login with password works but with public key 
authentication fails with "connection closed" and the debug messages in 
syslog:

==CUT==
debug1: fd 6 clearing O_NONBLOCK
debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 1
debug1: Forked child 1250.
debug1: inetd sockets after dupping: 5, 5
Connection from 192.168.1.123 port 58541
debug1: Client protocol version 2.0; client software version OpenSSH_4.2
debug1: match: OpenSSH_4.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: PAM: initializing for "user1"
debug1: PAM: setting PAM_RHOST to "host1.domain.tld"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 1468/1000 (e=0/0)
debug1: trying public key file /home/user1/.ssh/authorized_keys
debug1: matching key found: file /home/user1/.ssh/authorized_keys, line 1
Found matching RSA key: 33:dd:ee:66:cc:33:11:33:44:dd:55:ee:00:33:00:ff
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1468/1000 (e=0/0)
debug1: trying public key file /home/user1/.ssh/authorized_keys
debug1: matching key found: file /home/user1/.ssh/authorized_keys, line 1
Found matching RSA key: 33:dd:ee:66:cc:33:11:33:44:dd:55:ee:00:33:00:ff
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Failed publickey for noglera from 192.168.1.123 port 58541 ssh2
debug1: do_cleanup
debug1: PAM: cleanup
==CUT==


How is the correct PAM configuration for Solaris 10 and OpenSSH 4.3p2 so 
that login with password or public key works?

How has an additional PAM module to be inserted to work with OpenSSH?

I found this PAM configuration:
sshd   auth requisite          pam_authtok_get.so.1
sshd   auth required           pam_dhkeys.so.1
sshd   auth sufficient         pam_unix_auth.so.1
sshd   auth required           pam_ldap.so.1		try_first_pass
sshd   account required        pam_unix_account.so.1

But with this config the password login of OpenSSH does not work. Only 
public key login does work. This is because the LDAP UserPassword is not 
readable. Authentication must be done with LDAP bind and not LDAP 
search/compare.


Thanks in advance.

Regards,
Bernd

More information about the openssh-unix-dev mailing list