topic Re: ssh needs to be restarted to enable the pam stack changes in Operating System - Linux

ssh needs to be restarted to enable the pam stack changes

monu_1 — Wed, 01 Jul 2009 10:22:52 GMT

The pam stack is (a)pam_radius.so(b)pam_unix.so

2. ssh to admin (user at radius server)
Result: Successful as expected.

3. The pam stack is (a) pam_ldap.so (b)pam_radius.so(c)pam_unix.so

4. Restart ssh

5. ssh to admin
Result: Successful as expected. Ldap server contacted

6.The pam stack is (a)pam_radius.so(b)pam_unix.so

7. ssh to admin
Result: Successful as expected. LDAP server contacted

8. Restart ssh( This is unexpected)

9. ssh admin LDAp server not contacted
Result: Successful as expected.
-----
Removing ladp module from pam stack at step # 6 traffic is at LDAP server on ssh to admin (user at radius server) at step # 7. And after restart ssh at #8 it is not the case as expected. My concern is unnecessary server traffic at LDAP server at step # 7.

Can anyone comment on this? Do we need to restart ssh on every step of removing and adding ldap module in pam stack?

Thanks,
MKS

Re: ssh needs to be restarted to enable the pam stack changes

Steven E. Protter — Wed, 01 Jul 2009 10:54:53 GMT

Shalom,

No you do not need to restart ssh at every step.

I think you can safely do all the work on the pam stack and then restart ssh

SEP

Re: ssh needs to be restarted to enable the pam stack changes

monu_1 — Wed, 01 Jul 2009 11:54:44 GMT

Thanks SEP!

For <>

I have concern why traffic is going on LDAP server even after removing ladp madoule from pam stack

Can you please let me know issue is at pam configuration side or ssh side? It does make sense to look from ssh perspective in this case?

Thanks ,
MKS

Re: ssh needs to be restarted to enable the pam stack changes

Steven E. Protter — Wed, 01 Jul 2009 13:38:40 GMT

Shalom again,

For <>

Valid concern. If you start getting user login problems during the change steps, restart sshd daemon.

I have concern why traffic is going on LDAP server even after removing ladp madoule from pam stack

Issue as I see it:

As you make changes to the pam stack, your new user login process will be changing. Existing sessions should not be impacted unless you leave sshd down for a period of time.

So if you make a change to the pam stack that somehow disables new logins, users will suddenly not be able to log in.

pam stands for plugable authentication module, once you are authenticated it should not effect open sessions, changes here effect new authentications or logins.

Hope this helps.

SEP