SUMMARY: OpenSSH and Solaris PAM

From: <alexei_at_soemail.rutgers.edu>
Date: Tue Sep 30 2003 - 10:26:25 EDT
Dear sun managers,

Thanks a lot to those of you who replied to my posting.
The suggestions and ideas were very good.

The winning solution came from Fergus Donohue, who pointed me at
the bug report at http://bugzilla.mindrot.org/show_bug.cgi?id=700

The advice about setting "PasswordAuthentication no" and 
"ChallengeResponseAuthentication yes" in sshd_config made it to work
with PAM and my LDAP users can login now.
 
However, for LDAP to work properly, I had to modify my pam.conf slightly, 
but it is minor change:
sshd   auth requisite          pam_authtok_get.so.1
sshd   auth required           pam_dhkeys.so.1
sshd   auth sufficient         pam_unix_auth.so.1
sshd   auth required           pam_ldap.so.1 try_first_pass
sshd   account required        pam_unix_account.so.1

Regards,
Alexei



On Mon, 29 Sep 2003 alexei@soemail.rutgers.edu wrote:

> Greetings,
> 
> I wonder if anyone has succeeded with making OpenSSH 3.7.1p2 to work
> properly with Solaris 9 PAM libs? 
> 
> After I compiled and configured the OpenSSH 3.7.1p2 with PAM support
> on Solaris 9, I encounter a problem with having it to work with Solaris PAM.
> The PAM libs that used to work fine with Sun SSH no longer work with the
> OpenSSH.
> 
> For example, I use an additional authentication PAM module to check for 
> entries in /etc/shadow in order to disallow NIS users to login to a NIS
> server. It works fine with Sun SSH but the OpenSSH completely ignores it.
>  
> On the other host, which is an OpenLDAP client, the OpenSSH doesn't seem
> to work with Sun's pam_ldap.so.1.  LDAP users can't login via ssh.
> However, Sun SSH with the same pam.conf configuration works perfectly:
> sshd   auth      sufficient    pam_ldap.so.1 
> sshd   auth      required      pam_unix_auth.so.1
> sshd   account   sufficient    pam_ldap.so.1
> sshd   account   required      pam_unix_auth.so.1
> sshd   password  sufficient    pam_ldap.so.1
> sshd   password  required      pam_unix_auth.so.1
>  
> In nsswitch.conf, I have 
> passwd:     files ldap
> group:      files ldap
> 
> The OpenSSH has been configured with PAM support: 
> ./configure --use-pam ...
> 
> When I ldd on /usr/local/sbin/sshd, among the links, it shows 
> libpam.so.1 =>   /usr/lib/libpam.so.1 
> 
> In sshd_config, I got "UsePAM yes".
> 
> Is there anything I am missing? 
> Do I need to compile and install special PAM modules for OpenSSH?
> 
> It looks like the sshd completely ignores whatever is in /etc/pam.conf. 
> Any suggestion or advice would be appreciated.
> Thanks,
> Alexei
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Sep 30 10:26:21 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:20 EST