OpenSSH public key problem with Solaris 10 and LDAP users?
listen at alexander.skwar.name
Wed Aug 15 16:52:42 EST 2007
Peter Stuge <stuge-openssh-unix-dev at cdy.org> wrote:
> On Tue, Aug 14, 2007 at 03:43:04PM +0200, Alexander Skwar wrote:
>> Yep. Public Key auth is certainly auth without a password :) But
>> why don't I get this message, when I login with a good user?
> Again - something is different for those users, somewhere.
Of course! I'm not denying this ;) One set of users is able
to use passwordless entry, while the other set of users is
not able to do this. That's of course quite a difference *g*
>> >> Anyway. Still looks like PAM / LDAP issue.
>> > Yes, it is.
>> With a strange coincidence with SSH.
> OpenSSH introduces a lot of third-party PAM code to a system so it's
> not all that strange.
>> > Something is different in the LDAP data stored for the users,
>> > probably because of how they were created.
>> I copied the new user, using the data from a working user.
> So that's one way.
>> I also tried to create a new user "from scratch".
> That's two.
> Possibly the working users were created in bulk (three) or just using
> different versions of some software (four).
Well, as long as the LDAP database has the same contents, it doesn't
make a difference on how the data was "poured" into it, I'd think. But
I don't know that.
It's like if there were a difference, when you create a user by
doing "vi /etc/passwd" compared to "echo blah:blah:blah >> /etc/passwd".
The result is the same. Confusing.
> Creating new users the
> exact same way as the working users were created should still
> succeed though.
Will try that. But I very highly doubt, that this makes a difference
at all. After all, it's just a different way to fill that database.
Okay. Done. Original way was, that I used the PADL Migration Tools,
which convert /etc/passwd et.al. to LDIF files which then have to
be ldapadd'ed to the LDAP database. I just did that, and as was
to be expected, there was no difference whatsoever. Result:
With yet another newly created test user, I'm able to SSH login
using a password. Passwordless entry using pubkey doesn't work.
> If you get that far, you get to reverse engineer what
> is actually going on to find the difference.
Yep. If I'd only be able to get that far... :\
>> Having a look at the LDIF exports, I cannot see any differences.
> But this is not the whole truth. There's a lot of software involved
> in writing and reading that data, some of it may implement a policy
> according to something else than the data in the LDIF export.
But the LDAP database is the sole source of information. There
is nothing else (well, there's of course still a mostly empty
/etc/passwd and /etc/group, but there's nothing in those files
for the new users and there's also nothing in there for the
old and working users).
>> Anyway. Probably really a LDAP thing.
> Can you test if these users are allowed through when someone else
> than OpenSSH uses PAM to do passwordless logins? Any server is good.
What server should I try?
> My guess is that the problem is with writing to LDAP, rather than
> reading from it.
I doubt that. In LDAP, there's no difference between the non-working
users and the working users. At least not, as far as I can tell.
Thanks a lot though,
More information about the openssh-unix-dev