HPE Community
Operating System - HP-UX
1753817 Members
8543 Online
108805 Solutions
New Discussion юеВ

sshd+pam kerberos+winbind

 
evkogan
Occasional Advisor

тАО05-17-2009 06:08 AM

тАО05-17-2009 06:08 AM

sshd+pam kerberos+winbind

Hello.

I have 2 server.
1. HPUX 11.31
2. HPUX 11.23
On 1. all working perfect
On 2. kinit, wbinfo, id working correctly
And i CAN login with AD user through login, but CAN NOT login through ssh

In log:
"May 17 19:42:57 dbbzks1 sshd[5579]: Invalid user evkogan from 10.24.1.37
May 17 19:42:57 dbbzks1 sshd[5579]: Failed none for invalid user evkogan from 10.24.1.37 port 3608 ssh2
May 17 19:43:01 dbbzks1 sshd[5579]: [Authentication failed] Password not valid
"

In pam.conf
"# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_krb5.so.1
sshd auth required libpam_unix.so.1 try_first_pass
# Account management
#
login account required libpam_hpsec.so.1
login account required libpam_authz.so.1
login account sufficient libpam_krb5.so.1
login account required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account required libpam_authz.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
# Session management
#
login session required libpam_hpsec.so.1
login session sufficient libpam_krb5.so.1
login session required libpam_unix.so.1
sshd session required libpam_hpsec.so.1
sshd session required libpam_mkdir.1 skel=/etc/skel/ umask=0077
sshd session sufficient libpam_krb5.so.1
sshd session required libpam_unix.so.1
# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_krb5.so.1
login password required libpam_unix.so.1
sshd password required libpam_hpsec.so.1
sshd password sufficient libpam_krb5.so.1
sshd password required libpam_unix.so.1
"

I have not user evkogan in passwd

Any ideas?
0 Kudos
10 REPLIES 10
Steven E. Protter
Exalted Contributor

тАО05-17-2009 06:24 AM

тАО05-17-2009 06:24 AM

Re: sshd+pam kerberos+winbind

Shalom,

SSH/Secure shell as compiled by HP can not login without a password integrated as part of an ADS domain.

A special compile of openssh would be required to do that job. I got that information a year ago from an expert on sign on integration we asked to consult on this issue.

So no amount of pam configuration is going to create ssh authentication via the ADS domain controller.

So for ssh to work, you need the user evkogan in a passwd file somewhere in the domain.

You can put it into the ADS server with the Windows Unix tool kit and them be prompted for a password at login. There are special integration steps needed to be done on the windows ADS server for this to work and its unclear if this has been done.

Also should be noted that the Windows ADS controller must be Windows Server 2003 release two, not the initial release of Windows Server 2003. Windows Server 2000 probably will work but is pretty much out of date.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
eric roseme
Respected Contributor

тАО05-18-2009 08:22 AM

тАО05-18-2009 08:22 AM

Re: sshd+pam kerberos+winbind

I have a whitepaper about Unified Logins on HP-UX with CIFS/Samba and AD.

http://www.docs.hp.com/en/15650/CIFSUnifiedLogin.pdf

On Page 45 I show an SSH config for HP-UX that uses AD as the user store. My config works fine, but UL specifically does not run winbind and I do not config authz in pam.conf.

You can check it out and see if it is applicable to your config.

Eric
0 Kudos
evkogan
Occasional Advisor

тАО05-18-2009 07:05 PM

тАО05-18-2009 07:05 PM

Re: sshd+pam kerberos+winbind

Steven E. Protter
I try new version A.05.10.047 and now can't start sshd with error
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1331600

Where can i download previos worked version?

This bug only on 11.31?
Can i install A.05.10.046 on 11.23?
0 Kudos
evkogan
Occasional Advisor

тАО05-18-2009 09:19 PM

тАО05-18-2009 09:19 PM

Re: sshd+pam kerberos+winbind

eric roseme
I used your whitepaper in the work.
Thanks, it realy helped me.
But I used winbind in nsswitch.conf
And there is no need in creating user in AD for ldapux
It worked correctly on 11.31
On 11.23 for SSH, as wrote Steven E. Protter, it is necessary to create local equal account (maybe with another password).

SSH version
11.23 A.04.50.010
11.31 A.04.50.011

I hoped that ├Р┬░ new version will solve the problem, but ran into ├Р┬░ new problem with A.05.10.047 on my test HPUX 11.31

What version SSH did you use?
0 Kudos
eric roseme
Respected Contributor

тАО05-20-2009 08:17 AM

тАО05-20-2009 08:17 AM

Re: sshd+pam kerberos+winbind

# what /usr/sbin/sshd
/usr/sbin/sshd:
$HP-UX Secure Shell: sshd.c,vA.05.10.007 ,TCP Wrappers: v7.6-ipv6.4, Zlib: v1.2.3 2008/08/2
1 $
$HP-UX Secure Shell: sftp-server.c,vA.05.10.007 ,TCP Wrappers: v7.6-ipv6.4, Zlib: v1.2.3 20
08/08/21 $
$OpenSSL A.00.09.07m.003 $

On page 45 I show the version as A.05.10.007. All of my examples in the paper are on 11.23. My config does not require duplicate users in /etc/passwd, but I am not using winbind.

Are you using your own Samba compiled with pam_winbind? CIFS Server is not compiled with pam_winbind, so if you are trying to use it for HP-UX logins it will not work.

Eric
0 Kudos
evkogan
Occasional Advisor

тАО05-20-2009 10:09 PM

тАО05-20-2009 10:09 PM

Re: sshd+pam kerberos+winbind

I try compile Samba with pam_winbind, but ran into many problems and refused this idea.
I use winbind in nsswitch.conf and libpam_krb5 in pam.conf

Now i installed openssh.5.2p1 from http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-5.2p1/

It worked, but don't support kerberos in sshd.
It isn't critical, pam through kerberos worked.

Can you publish depot A.05.10.007 for 11.23. and 11.31 and get me link?
Last supported by HP version have bug http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1242803512372+28353475&threadId=1331600
0 Kudos
eric roseme
Respected Contributor

тАО05-22-2009 01:58 PM

тАО05-22-2009 01:58 PM

Re: sshd+pam kerberos+winbind

https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=T1471AA

These versions are newer than the one that I used.

Eric
0 Kudos
evkogan
Occasional Advisor

тАО05-24-2009 07:21 PM

тАО05-24-2009 07:21 PM

Re: sshd+pam kerberos+winbind

This version have bug and don't start on HPUX 11.31
On HPUX 11.23 i can't test.
0 Kudos
evkogan
Occasional Advisor

тАО06-14-2009 03:11 AM

тАО06-14-2009 03:11 AM

Re: sshd+pam kerberos+winbind

Local user necessary only on PA atchitecture
HPUX 11.23 IA work correctly with old version sshd
HPUX 11.23 PA need local account with sshd 11.23 A.04.50.010
I installed openssh for resolve this problem
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.