home | list info | list archive | date index | thread index

[OCLUG-Tech] SSH2 + PAM + LDAP

On my Debian/Sarge machine I would like to authenticate users with
LDAP. There are numerous howtos written for Debian that cover
this[1]. It works except for SSH2 (from ssh.com). Local console logins
can authenticate to the LDAP server via PAM. Remote SSH users can
authenticate to local accounts (/etc/passwd accounts) through
PAM. When remote SSH users attempt to authenticate to LDAP the session
authenticates, but then hangs.

$ ssh foo@10.0.8.10
Keyboard-interactive:
PAM authentication
Password:
Authentication successful.
    <hang indefinitely>


One thing worth noting is that the 'files ldap' order in nsswitch.conf
matters. If 'ldap files' is used for passwd/group/shadow then all SSH
sessions (local and ldap users) hang after authentication.

Interesting config files are below. There are pages and pages of logs
from slapd and ssh.

Any help would be greatly appreciated.



/etc/pam.d/sshd2
----------------
account   sufficient      pam_ldap.so
account   required        pam_unix.so
auth      sufficient      pam_ldap.so
auth      required        pam_unix.so use_first_pass
password  sufficient      pam_ldap.so
password  required        pam_unix.so nullok obscure min=4 max=8 md5
session   sufficient      pam_ldap.so
session   required        pam_unix.so


/etc/pam_ldap.conf
------------------
host 127.0.0.1
base dc=example,dc=net
ldap_version 3
rootbinddn cn=admin,dc=example,dc=net
pam_password exop


/etc/nsswitch.conf
------------------
passwd:         files ldap
group:          files ldap
shadow:         files ldap
# the rest of nsswitch.conf is stock

dummy ldap user
---------------
dn: cn=foo,ou=users,dc=example,dc=net
cn: foo
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: User
uid: foo
uidNumber: 9001
gidNumber: 9000
homeDirectory: /tmp
userPassword:: e2NyeXB0fSQxJDFsOXdEYW1aJGZyejNjWnJGcUY5RUViUlVuU1JGTS8=
shadowLastChange: 13053


/etc/ldap/slapd.conf
-------------------- 
mostly stock with write access granted to * for debugging.


distro: Debian/Sarge
ssh: ssh2 v3.2.9.1 from ssh.com
kernel: debian 2.6.8-2-686
all other tools from Debian/Sarge


[1] http://enterprise.linux.com/article.pl?sid=05/09/15/1930256
    http://usefulinc.com/edd/blog/contents/2005/09/25-ldap/read
      the latter seems to use tools from Sid.

replies

message navigation