openssh authentication via openldap

Mon, 27 Feb 2006 05:23:27 -0800 

All,
I just set up three of my debian sarge boxes to authenticate against an openldap server. I'm using PAM and everything works as expected except for ssh on one host. When I try to ssh to the box as an ldap user I immediately get kicked out. From this box I can successfully grab getent ldap info and also su to ldap users. I'm not quite sure what's going on here. Why would every service work except for ssh ? I've pasted some logs below and some /etc/pam.d files but everything *seems* in order. Any help would be appreciated. 

/var/log/auth.log
Feb 27 04:44:37 web2 sshd[26645]: Illegal user foo from ::ffff:172.16.0.1
Feb 27 04:44:39 web2 sshd[26645]: (pam_unix) check pass; user unknown

Feb 27 04:44:39 web2 sshd[26645]: (pam_unix) authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=asdf
Feb 27 04:44:39 web2 sshd[26645]: pam_ldap: error trying to bind as user 
"uid=foo,cn=users,dc=domain,dc=tld" (Invalid credentials) <--- The 
password is correct :)
Feb 27 04:44:40 web2 sshd[26645]: error: PAM: Authentication failure for 
illegal user foo from asdf
Feb 27 04:44:40 web2 sshd[26645]: Failed keyboard-interactive/pam for 
illegal user foo from ::ffff:172.16.0.1 port 58015 ssh2


/etc/pam.d
::::::::::::::
ssh
::::::::::::::
auth       required     pam_nologin.so
auth       required     pam_env.so # [1]
@include common-auth
@include common-account
@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
@include common-password
::::::::::::::
common-account
::::::::::::::
account     required      pam_unix.so
account     sufficient     pam_ldap.so
::::::::::::::
common-auth
::::::::::::::
auth        required      pam_env.so
auth        sufficient     pam_unix.so likeauth nullok
auth        sufficient     pam_ldap.so use_first_pass
auth        required     pam_deny.so
session     required   pam_mkhomedir.so skel=/etc/skel umask=0027
::::::::::::::
common-password
::::::::::::::
password    required      pam_cracklib.so retry=3 type=
password    sufficient     pam_unix.so nullok use_authtok md5 shadow
password    sufficient     pam_ldap.so use_authtok
password    required     pam_deny.so
::::::::::::::
common-session
::::::::::::::
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so


--

To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
























					Reply via email to