HPE Community
Operating System - HP-UX
1821063 Members
2558 Online
109631 Solutions
New Discussion юеВ

SSH + LDAP = frustrated admin!

 
SOLVED
Go to solution
Eric Yruegas
Frequent Advisor

тАО03-23-2006 06:49 AM

тАО03-23-2006 06:49 AM

SSH + LDAP = frustrated admin!

I've beat myself up over this for the past several hours to no avail - I MUST be missing something obvious... hopefully someone can point me in the right direction.

Scenario:
Win2K3 AD server hosting users we wish to authenticate via LDAP to our HPUX boxen. Via telnet, works great! SSH, not so much. :-(

I've horked around in the pam.conf file and got the LDAP user to authenticate, and my local user to authenticate via public-key, but password auth fails for any local users when that's enabled. Basically I took the sample lines out of pam.ldap and integrated them into my existing pam.conf for the service OTHER in all categories.

I think what I'm missing is a 'correct' set of lines for my /etc/pam.conf - can someone using LDAP & SSH post a snippet of theirs?

SSH does have UsePAM to YES. The current pam.conf is basically the pam.krb5 example.

Thanks!
0 Kudos
9 REPLIES 9
Steven E. Protter
Exalted Contributor

тАО03-23-2006 07:01 AM

тАО03-23-2006 07:01 AM

Re: SSH + LDAP = frustrated admin!

Shalom,

What does /etc/nssswitch.conf look like?

If you don't feel it would violate security, can you upload pam.conf ?

tail -f /var/adm/syslog/syslog.log

Try a login with ssh.

Post the output you see.

Some links that may help.
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=980901

http://docs.hp.com/hpux/onlinedocs/5990-7245/5990-7245.pdf

http://docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf

the Pam Kerebos depot may not be installed. You need v5 to work with windows or you need to patch windows to work with v5.

LDAP doc:
http://docs.hp.com/en/J4269-90052/J4269-90052.pdf

Until I see the diagnostics I requested, I think the scope of the problem is too broad to be more specific. Hence my shotgun approach.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Eric Yruegas
Frequent Advisor

тАО03-23-2006 07:21 AM

тАО03-23-2006 07:21 AM

Re: SSH + LDAP = frustrated admin!

nsswitch:
passwd: files [NOTFOUND=continue] ldap
#group: files [NOTFOUND=continue] ldap
group: files ldap
hosts: files dns ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: ldap [NOTFOUND=continue] files
netgroup: files ldap
automount: files ldap
aliases: files ldap
services: files ldap

Pam.conf (top two sections):

#
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1
#OTHER auth sufficient /usr/lib/security/libpam_unix.1
#OTHER auth required /usr/lib/security/libpam_ldap.1 try_first_pass

#
# Account management
#
login account required /usr/lib/security/libpam_authz.1 debug
login account sufficient /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1
su account sufficient /usr/lib/security/libpam_krb5.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account sufficient /usr/lib/security/libpam_krb5.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account sufficient /usr/lib/security/libpam_krb5.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account sufficient /usr/lib/security/libpam_krb5.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
#OTHER account sufficient /usr/lib/security/libpam_unix.1
#OTHER account required /usr/lib/security/libpam_ldap.1


As for syslog - we get one of two things:
Mar 23 14:13:28 xxxxxxx registrar[21120]: allowed connection from xxxxxxxxxx
Mar 23 14:13:33 xxxxxxx sshd[21118]: user2netname: unknown nameservice ^I^I^I^I^Ifor publickey info 'ldap'

or

Mar 23 14:25:52 xxxxxx syslog: pid:19254.12 - pam_request.c:146:process_pam_ldap_request(): _hp_ldap_bind_ux() failed, err=-2

depending on which lines are enabled/disabled in pam.conf. The config you see above represents a starting point where SSH does not authenticate the LDAP user.


We have PAM kerberos 5 installed - it works great authenticating LDAP users via telnet and whatnot - but SSH is the problem child.

More detail: We are using HP Secure Shell 4.20.x on 11.11. Here's the package versions of kerberos and pam:
J5849AA 11.11.13 PAM-Kerberos and Kerberos Support
KRB5CLIENT C.1.3.5.03 Kerberos V5 Client Version 1.3.5.03

Thanks!
0 Kudos
Steven E. Protter
Exalted Contributor

тАО03-23-2006 07:27 AM

тАО03-23-2006 07:27 AM

Re: SSH + LDAP = frustrated admin!

An excellent response.

Now I need an error code from syslog. It might help.

I'll think some more on this and wait for the error code.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Jeff Schussele
Honored Contributor

тАО03-23-2006 07:37 AM

тАО03-23-2006 07:37 AM

Solution

Re: SSH + LDAP = frustrated admin!

Hi Eric,

Attached is a pam.conf that works for us using SSH with LDAP.

One of the keys for proper account management when PAM, SSH & LDAP are in play is the libpam_authz PAM module.

Get on docs.hp.com for details on just what libpam_authz does & can do.

Also in your SSH sshd_config file make sure you have

UsePAM yes

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Eric Yruegas
Frequent Advisor

тАО03-23-2006 08:22 AM

тАО03-23-2006 08:22 AM

Re: SSH + LDAP = frustrated admin!

Steve-

I did post the messages from syslog above - error code returned in one instance was "-2" from _hp_ldap_bind_ux()... Is there additional data you would like to see?

0 Kudos
Steven E. Protter
Exalted Contributor

тАО03-23-2006 09:14 AM

тАО03-23-2006 09:14 AM

Re: SSH + LDAP = frustrated admin!

Hi,

Missed your error message. Its late here.

This thread comes up on that issue:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=685443

At least it has the same error text. Actully, I think Jeff may have presented you with a solution, I recommend reading his post carefully and checking into his suggestions.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Eric Yruegas
Frequent Advisor

тАО03-24-2006 06:30 AM

тАО03-24-2006 06:30 AM

Re: SSH + LDAP = frustrated admin!

Jeff/Steve - thanks for all the input. The 'complicater' in this instance, is that we use basically the pam.krb5 template. I did some fiddling in my pam.conf after looking at Jeff's sample; and lo and behold I am having 'more' success now.

Current scenario is:
LDAP users authenticate over SSH as well as local users via PublicKey. LOCAL users who try to auth with the trusted-system password fail with messages I've not seen before.

Here's a person using SSH and their local password:
Mar 24 14:13:37 xxxxx sshd[4351]: [No account present for user] Password not valid
Mar 24 14:13:37 xxxxx sshd[4351]: user2netname: unknown nameservice ^I^I^I^I^Ifor publickey info 'ldap'
Mar 24 14:13:37 xxxxx sshd[4351]: query daemon return failure status 7
Mar 24 14:13:37 xxxxx sshd[4351]: unrecognized option [rcommand]
Mar 24 14:13:37 xxxxx sshd[4351]: error: PAM: No account present for user for xxxxxx from xxxxxxxxxxx

Now just to make sure things are on the up-and-up, I jettisoned the krb5 version of pam.conf, and stuck in the vanilla pam.conf.trusted file (pretty much what Jeff is using, it appears). PRESTO. All auths work! However, I get this bizarre message in syslog when logging in via telnet as local user:

Mar 24 14:23:31 xxxxx login: user2netname: unknown nameservice ^I^I^I^I^Ifor publickey info 'ldap'

Looks like there's some control chars embedded in a config file somewhere, but I'll be darned if I can find 'em.

Now the kicker - how would you suggest I adapt this 'working' scenario to "kerberize" it? I need to get away from doing plaintext LDAP traffic on the LAN...
0 Kudos
Eric Yruegas
Frequent Advisor

тАО03-27-2006 03:53 AM

тАО03-27-2006 03:53 AM

Re: SSH + LDAP = frustrated admin!



Well after a weekend of *not* thinking about my issue... I revisited it this morning.

That goofy publickey message regarding LDAP was a result of nsswitch.conf... invalid entries.

And - I just went through and changed my new 'good' pam.conf and replaced _ldap with _krb5... Presto! Traffic is now encrypted back to the Active Directory server!

Ugh - had I taken this route initially I would have avoided a lot of confusion. It appears that the only differences are in a couple of lines from what I started with when I began last week.

I appreciate the info - (good links!) and thanks!
0 Kudos
Eric Yruegas
Frequent Advisor

тАО03-27-2006 03:55 AM

тАО03-27-2006 03:55 AM

Re: SSH + LDAP = frustrated admin!

(closing)
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.