- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: sshd rejecting public key auth for LDAP users
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2007 05:50 AM
тАО02-23-2007 05:50 AM
sshd rejecting public key auth for LDAP users
Here's relevant snippet from sshd debug output:
debug3: mm_request_receive entering
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 46
debug3: mm_request_receive_expect entering: type 47
debug1: do_pam_account: called
debug3: mm_request_receive entering
debug3: PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)
debug3: mm_request_send entering: type 47
Failed publickey for dfelicia from xxx.xxx.xxx.xxx port 5851 ssh2
debug3: mm_do_pam_account returning 0
debug1: Entering record_failed_login uid 0
Access denied for user dfelicia by PAM account configuration
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug3: audit failed auth attempt, method publickey euid 0
debug1: audit event euid 0 user dfelicia event 6 (AUTH_FAIL_PUBKEY)
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: audit event euid 0 user dfelicia event 12 (CONNECTION_ABANDON)
If I disable public key auth in sshd_config, I can log in (keyboard interactive).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-24-2007 05:24 PM
тАО02-24-2007 05:24 PM
Re: sshd rejecting public key auth for LDAP users
I think similar problem has been fixed in the latest version of LDAP-UX (04.10).
http://docs.hp.com/en/J4269-90065/ch01s02.html#d0e406
#
Defect Number JAGaf59448
SSH (Secure Shell) clients fail to establish a login session with an SSH server when using shadow passwords. PAM account management performed with PAM_LDAP fails. This prevents the users from successfully logging onto the system.
#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-24-2007 11:31 PM
тАО02-24-2007 11:31 PM
Re: sshd rejecting public key auth for LDAP users
# swlist | grep -i ldap
J4269AA B.04.10 LDAP-UX Integration
Error is still "PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-25-2007 12:13 PM
тАО02-25-2007 12:13 PM
Re: sshd rejecting public key auth for LDAP users
HP-UX Secure Shell user authentication through the public-key will fail in a server environment if UsePAM is set to YES and pam.conf is set to PAM_LDAP.
Workaround: HP recommends the PAM_AUTHZ mechanism for HP-UX Secure Shell environments that use public-key authentication with PAM_LDAP-based account management.
http://docs.hp.com/en/5991-7486/ch01s08.html
There is another product which is useful under LDAP and public key based authentication setup called HP-UX Enhanced Publickey-LDAP Software .
http://docs.hp.com/en/J4269-90067/ch02s09.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-25-2007 07:17 PM
тАО02-25-2007 07:17 PM
Re: sshd rejecting public key auth for LDAP users
sshd account required /usr/lib/security/libpam_authz.1
sshd account sufficient /usr/lib/security/libpam_unix.1
sshd account required /usr/lib/security/libpam_ldap.1 rcommand
"rcommand" option is needed to support public key authentication with ssh. The downside of using this option is that account/password policy of your directory server will be ignored (i.e. users will be able to login to disabled accounts etc.).
That's where pam_authz come into play. You would have to configure /etc/opt/ldapux/pam_authz.policy to enforce account/password policy.
For full discussion see the following white paper:
Using pam_authz to support LDAP account and password policy with r-commands or ssh
http://docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-25-2007 10:49 PM
тАО02-25-2007 10:49 PM
Re: sshd rejecting public key auth for LDAP users
Thanks, all!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-25-2007 10:51 PM
тАО02-25-2007 10:51 PM