- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: sshd rejecting public key auth for LDAP users
Operating System - HP-UX
1753500
Members
4407
Online
108794
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2007 05:50 AM
тАО02-23-2007 05:50 AM
sshd rejecting public key auth for LDAP users
Seems to be a PAM problem, but I don't know how to debug further...
Here's relevant snippet from sshd debug output:
debug3: mm_request_receive entering
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 46
debug3: mm_request_receive_expect entering: type 47
debug1: do_pam_account: called
debug3: mm_request_receive entering
debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)
debug3: mm_request_send entering: type 47
Failed publickey for dfelicia from xxx.xxx.xxx.xxx port 5851 ssh2
debug3: mm_do_pam_account returning 0
debug1: Entering record_failed_login uid 0
Access denied for user dfelicia by PAM account configuration
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug3: audit failed auth attempt, method publickey euid 0
debug1: audit event euid 0 user dfelicia event 6 (AUTH_FAIL_PUBKEY)
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: audit event euid 0 user dfelicia event 12 (CONNECTION_ABANDON)
If I disable public key auth in sshd_config, I can log in (keyboard interactive).
Here's relevant snippet from sshd debug output:
debug3: mm_request_receive entering
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 46
debug3: mm_request_receive_expect entering: type 47
debug1: do_pam_account: called
debug3: mm_request_receive entering
debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)
debug3: mm_request_send entering: type 47
Failed publickey for dfelicia from xxx.xxx.xxx.xxx port 5851 ssh2
debug3: mm_do_pam_account returning 0
debug1: Entering record_failed_login uid 0
Access denied for user dfelicia by PAM account configuration
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug3: audit failed auth attempt, method publickey euid 0
debug1: audit event euid 0 user dfelicia event 6 (AUTH_FAIL_PUBKEY)
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: audit event euid 0 user dfelicia event 12 (CONNECTION_ABANDON)
If I disable public key auth in sshd_config, I can log in (keyboard interactive).
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-24-2007 05:24 PM
тАО02-24-2007 05:24 PM
Re: sshd rejecting public key auth for LDAP users
Which version of LDAP-UX are you using?
I think similar problem has been fixed in the latest version of LDAP-UX (04.10).
http://docs.hp.com/en/J4269-90065/ch01s02.html#d0e406
#
Defect Number JAGaf59448
SSH (Secure Shell) clients fail to establish a login session with an SSH server when using shadow passwords. PAM account management performed with PAM_LDAP fails. This prevents the users from successfully logging onto the system.
#
I think similar problem has been fixed in the latest version of LDAP-UX (04.10).
http://docs.hp.com/en/J4269-90065/ch01s02.html#d0e406
#
Defect Number JAGaf59448
SSH (Secure Shell) clients fail to establish a login session with an SSH server when using shadow passwords. PAM account management performed with PAM_LDAP fails. This prevents the users from successfully logging onto the system.
#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-24-2007 11:31 PM
тАО02-24-2007 11:31 PM
Re: sshd rejecting public key auth for LDAP users
I upgraded, but the behavior is the same:
# swlist | grep -i ldap
J4269AA B.04.10 LDAP-UX Integration
Error is still "PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)"
# swlist | grep -i ldap
J4269AA B.04.10 LDAP-UX Integration
Error is still "PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-25-2007 12:13 PM
тАО02-25-2007 12:13 PM
Re: sshd rejecting public key auth for LDAP users
There is a know problem using HP SSH with public key based authentication within LDAP environment. You might want to verify if this applies to your setup.
HP-UX Secure Shell user authentication through the public-key will fail in a server environment if UsePAM is set to YES and pam.conf is set to PAM_LDAP.
Workaround: HP recommends the PAM_AUTHZ mechanism for HP-UX Secure Shell environments that use public-key authentication with PAM_LDAP-based account management.
http://docs.hp.com/en/5991-7486/ch01s08.html
There is another product which is useful under LDAP and public key based authentication setup called HP-UX Enhanced Publickey-LDAP Software .
http://docs.hp.com/en/J4269-90067/ch02s09.html
HP-UX Secure Shell user authentication through the public-key will fail in a server environment if UsePAM is set to YES and pam.conf is set to PAM_LDAP.
Workaround: HP recommends the PAM_AUTHZ mechanism for HP-UX Secure Shell environments that use public-key authentication with PAM_LDAP-based account management.
http://docs.hp.com/en/5991-7486/ch01s08.html
There is another product which is useful under LDAP and public key based authentication setup called HP-UX Enhanced Publickey-LDAP Software .
http://docs.hp.com/en/J4269-90067/ch02s09.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-25-2007 07:17 PM
тАО02-25-2007 07:17 PM
Re: sshd rejecting public key auth for LDAP users
It sounds like option "rcommand" is missing on sshd line in "Account management" section of pam.conf.
sshd account required /usr/lib/security/libpam_authz.1
sshd account sufficient /usr/lib/security/libpam_unix.1
sshd account required /usr/lib/security/libpam_ldap.1 rcommand
"rcommand" option is needed to support public key authentication with ssh. The downside of using this option is that account/password policy of your directory server will be ignored (i.e. users will be able to login to disabled accounts etc.).
That's where pam_authz come into play. You would have to configure /etc/opt/ldapux/pam_authz.policy to enforce account/password policy.
For full discussion see the following white paper:
Using pam_authz to support LDAP account and password policy with r-commands or ssh
http://docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf
sshd account required /usr/lib/security/libpam_authz.1
sshd account sufficient /usr/lib/security/libpam_unix.1
sshd account required /usr/lib/security/libpam_ldap.1 rcommand
"rcommand" option is needed to support public key authentication with ssh. The downside of using this option is that account/password policy of your directory server will be ignored (i.e. users will be able to login to disabled accounts etc.).
That's where pam_authz come into play. You would have to configure /etc/opt/ldapux/pam_authz.policy to enforce account/password policy.
For full discussion see the following white paper:
Using pam_authz to support LDAP account and password policy with r-commands or ssh
http://docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-25-2007 10:49 PM
тАО02-25-2007 10:49 PM
Re: sshd rejecting public key auth for LDAP users
Adding rcommand to pam.conf did the trick! I understand the security implication, and that authz is the better route to take. That said, this is a dev. box and all I want is to run my rsync jobs without dealing with a password prompt.
Thanks, all!
Thanks, all!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-25-2007 10:51 PM
тАО02-25-2007 10:51 PM
Re: sshd rejecting public key auth for LDAP users
2 possible solutions provided above.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP