darwin <[EMAIL PROTECTED]> writes: > All, > I just set up three of my debian sarge boxes to authenticate against > an openldap server. I'm using PAM and everything works as expected > except for ssh on one host. When I try to ssh to the box as an ldap > user I immediately get kicked out. From this box I can successfully > grab getent ldap info and also su to ldap users. I'm not quite sure > what's going on here. Why would every service work except for ssh ? > I've pasted some logs below and some /etc/pam.d files but everything > *seems* in order. Any help would be appreciated. > > /var/log/auth.log > Feb 27 04:44:37 web2 sshd[26645]: Illegal user foo from ::ffff:172.16.0.1 > Feb 27 04:44:39 web2 sshd[26645]: (pam_unix) check pass; user unknown > Feb 27 04:44:39 web2 sshd[26645]: (pam_unix) authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=asdf > Feb 27 04:44:39 web2 sshd[26645]: pam_ldap: error trying to bind as > user "uid=foo,cn=users,dc=domain,dc=tld" (Invalid credentials) <--- > The password is correct :) > Feb 27 04:44:40 web2 sshd[26645]: error: PAM: Authentication failure > for illegal user foo from asdf > Feb 27 04:44:40 web2 sshd[26645]: Failed keyboard-interactive/pam for > illegal user foo from ::ffff:172.16.0.1 port 58015 ssh2 > > /etc/pam.d > :::::::::::::: > ssh > :::::::::::::: > auth required pam_nologin.so > auth required pam_env.so # [1] > @include common-auth > @include common-account > @include common-session > session optional pam_motd.so # [1] > session optional pam_mail.so standard noenv # [1] > session required pam_limits.so > @include common-password > :::::::::::::: > common-account > :::::::::::::: > account required pam_unix.so > account sufficient pam_ldap.so > :::::::::::::: > common-auth > :::::::::::::: > auth required pam_env.so > auth sufficient pam_unix.so likeauth nullok > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > session required pam_mkhomedir.so skel=/etc/skel umask=0027 > :::::::::::::: > common-password > :::::::::::::: > password required pam_cracklib.so retry=3 type= > password sufficient pam_unix.so nullok use_authtok md5 shadow > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > :::::::::::::: > common-session > :::::::::::::: > session required pam_limits.so > session required pam_unix.so > session optional pam_ldap.so
I once had a problem with ssh/ldap... it turned out I had forgotten to restart the ssh daemon after changing pam. I know it's simple... but I forgot to do it. Maybe you did too? Nic -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
