topic Re: SSH + LDAP = frustrated admin! in Operating System - HP-UX

SSH + LDAP = frustrated admin!

Eric Yruegas — Thu, 23 Mar 2006 14:49:42 GMT

I've beat myself up over this for the past several hours to no avail - I MUST be missing something obvious... hopefully someone can point me in the right direction.

Scenario:
Win2K3 AD server hosting users we wish to authenticate via LDAP to our HPUX boxen. Via telnet, works great! SSH, not so much. :-(

I've horked around in the pam.conf file and got the LDAP user to authenticate, and my local user to authenticate via public-key, but password auth fails for any local users when that's enabled. Basically I took the sample lines out of pam.ldap and integrated them into my existing pam.conf for the service OTHER in all categories.

I think what I'm missing is a 'correct' set of lines for my /etc/pam.conf - can someone using LDAP & SSH post a snippet of theirs?

SSH does have UsePAM to YES. The current pam.conf is basically the pam.krb5 example.

Thanks!

Re: SSH + LDAP = frustrated admin!

Steven E. Protter — Thu, 23 Mar 2006 15:01:58 GMT

Shalom,

What does /etc/nssswitch.conf look like?

If you don't feel it would violate security, can you upload pam.conf ?

tail -f /var/adm/syslog/syslog.log

Try a login with ssh.

Post the output you see.

Some links that may help.
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=980901

http://docs.hp.com/hpux/onlinedocs/5990-7245/5990-7245.pdf

http://docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf

the Pam Kerebos depot may not be installed. You need v5 to work with windows or you need to patch windows to work with v5.

LDAP doc:
http://docs.hp.com/en/J4269-90052/J4269-90052.pdf

Until I see the diagnostics I requested, I think the scope of the problem is too broad to be more specific. Hence my shotgun approach.

SEP

Re: SSH + LDAP = frustrated admin!

Eric Yruegas — Thu, 23 Mar 2006 15:21:42 GMT

nsswitch:
passwd: files [NOTFOUND=continue] ldap
#group: files [NOTFOUND=continue] ldap
group: files ldap
hosts: files dns ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: ldap [NOTFOUND=continue] files
netgroup: files ldap
automount: files ldap
aliases: files ldap
services: files ldap

Pam.conf (top two sections):

#
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1
#OTHER auth sufficient /usr/lib/security/libpam_unix.1
#OTHER auth required /usr/lib/security/libpam_ldap.1 try_first_pass

#
# Account management
#
login account required /usr/lib/security/libpam_authz.1 debug
login account sufficient /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1
su account sufficient /usr/lib/security/libpam_krb5.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account sufficient /usr/lib/security/libpam_krb5.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account sufficient /usr/lib/security/libpam_krb5.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account sufficient /usr/lib/security/libpam_krb5.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
#OTHER account sufficient /usr/lib/security/libpam_unix.1
#OTHER account required /usr/lib/security/libpam_ldap.1

As for syslog - we get one of two things:
Mar 23 14:13:28 xxxxxxx registrar[21120]: allowed connection from xxxxxxxxxx
Mar 23 14:13:33 xxxxxxx sshd[21118]: user2netname: unknown nameservice ^I^I^I^I^Ifor publickey info 'ldap'

or

Mar 23 14:25:52 xxxxxx syslog: pid:19254.12 - pam_request.c:146:process_pam_ldap_request(): _hp_ldap_bind_ux() failed, err=-2

depending on which lines are enabled/disabled in pam.conf. The config you see above represents a starting point where SSH does not authenticate the LDAP user.

We have PAM kerberos 5 installed - it works great authenticating LDAP users via telnet and whatnot - but SSH is the problem child.

More detail: We are using HP Secure Shell 4.20.x on 11.11. Here's the package versions of kerberos and pam:
J5849AA 11.11.13 PAM-Kerberos and Kerberos Support
KRB5CLIENT C.1.3.5.03 Kerberos V5 Client Version 1.3.5.03

Thanks!

Re: SSH + LDAP = frustrated admin!

Steven E. Protter — Thu, 23 Mar 2006 15:27:34 GMT

An excellent response.

Now I need an error code from syslog. It might help.

I'll think some more on this and wait for the error code.

SEP

Re: SSH + LDAP = frustrated admin!

Jeff Schussele — Thu, 23 Mar 2006 15:37:54 GMT

Hi Eric,

Attached is a pam.conf that works for us using SSH with LDAP.

One of the keys for proper account management when PAM, SSH & LDAP are in play is the libpam_authz PAM module.

Get on docs.hp.com for details on just what libpam_authz does & can do.

Also in your SSH sshd_config file make sure you have

UsePAM yes

HTH,
Jeff

Re: SSH + LDAP = frustrated admin!

Eric Yruegas — Thu, 23 Mar 2006 16:22:54 GMT

Steve-

I did post the messages from syslog above - error code returned in one instance was "-2" from _hp_ldap_bind_ux()... Is there additional data you would like to see?

Re: SSH + LDAP = frustrated admin!

Steven E. Protter — Thu, 23 Mar 2006 17:14:59 GMT

Hi,

Missed your error message. Its late here.

This thread comes up on that issue:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=685443

At least it has the same error text. Actully, I think Jeff may have presented you with a solution, I recommend reading his post carefully and checking into his suggestions.

SEP

Re: SSH + LDAP = frustrated admin!

Eric Yruegas — Fri, 24 Mar 2006 14:30:10 GMT

Jeff/Steve - thanks for all the input. The 'complicater' in this instance, is that we use basically the pam.krb5 template. I did some fiddling in my pam.conf after looking at Jeff's sample; and lo and behold I am having 'more' success now.

Current scenario is:
LDAP users authenticate over SSH as well as local users via PublicKey. LOCAL users who try to auth with the trusted-system password fail with messages I've not seen before.

Here's a person using SSH and their local password:
Mar 24 14:13:37 xxxxx sshd[4351]: [No account present for user] Password not valid
Mar 24 14:13:37 xxxxx sshd[4351]: user2netname: unknown nameservice ^I^I^I^I^Ifor publickey info 'ldap'
Mar 24 14:13:37 xxxxx sshd[4351]: query daemon return failure status 7
Mar 24 14:13:37 xxxxx sshd[4351]: unrecognized option [rcommand]
Mar 24 14:13:37 xxxxx sshd[4351]: error: PAM: No account present for user for xxxxxx from xxxxxxxxxxx

Now just to make sure things are on the up-and-up, I jettisoned the krb5 version of pam.conf, and stuck in the vanilla pam.conf.trusted file (pretty much what Jeff is using, it appears). PRESTO. All auths work! However, I get this bizarre message in syslog when logging in via telnet as local user:

Mar 24 14:23:31 xxxxx login: user2netname: unknown nameservice ^I^I^I^I^Ifor publickey info 'ldap'

Looks like there's some control chars embedded in a config file somewhere, but I'll be darned if I can find 'em.

Now the kicker - how would you suggest I adapt this 'working' scenario to "kerberize" it? I need to get away from doing plaintext LDAP traffic on the LAN...

Re: SSH + LDAP = frustrated admin!

Eric Yruegas — Mon, 27 Mar 2006 11:53:41 GMT

Well after a weekend of *not* thinking about my issue... I revisited it this morning.

That goofy publickey message regarding LDAP was a result of nsswitch.conf... invalid entries.

And - I just went through and changed my new 'good' pam.conf and replaced _ldap with _krb5... Presto! Traffic is now encrypted back to the Active Directory server!

Ugh - had I taken this route initially I would have avoided a lot of confusion. It appears that the only differences are in a couple of lines from what I started with when I began last week.

I appreciate the info - (good links!) and thanks!

Re: SSH + LDAP = frustrated admin!

Eric Yruegas — Mon, 27 Mar 2006 11:55:55 GMT

(closing)