On Mon Jan 27, 2003 at 11:02:49AM -0500, Brian Smith wrote: > >>When you have "ssl start_tls" do the usual "getent > >>passwd" or "getent > >>shadow" and such work? > > > >getent passwd works, getent shadow does not (well, it > >lists the used in /etc/shadow, but not the ones in ldap). > > Err, that's incorrect. I just got to looking... some of my > users in ldap don't have an 'objectClass: shadowAccount' > attribute. Other than that, getent shadow works fine with > ssl start_tls; it's just ssh that can't deal with it. I've > found that ssh is failing with 'ssl on' as well, seems > that I have to use 'ssl off' to get it to work. Luckily my > network is behind a firewall....
Let me do some digging... this is starting to ring some bells. I bet if you do an strace on ssh (as a user in the LDAP database), you'll see it accessing /etc/shadow directly, and *not* using getent to retrieve that info. If that's the case, then there is very little we can do about it as it would be a design "flaw" in ssh directly. It could very well be that openssh doesn't use NSS to obtain that information, meaning it will never call getent to do the lookup. Ie. to openssh, if user isn't in the physical /etc/shadow file, then user doesn't exist to it. I'll do a little snooping and see what I can come up with. This may be one reason I'm not personally using LDAP for authentication... this is sounding quite familiar. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg88276/pgp00000.pgp
Description: PGP signature
