On Dec 16, 2007, at 7:06 AM, O. Hartmann wrote:


I use FreeBSD 7.0-BETA on servral boxes with different architectures (i386/amd64). Users within our network have to autheticate against an OpenLDAP Server via PAM. I have the annoying problem that every user getting autenticated needs a public key and the passphrase set in the ssh public key is the passphrase that authenticates the user - not the passphrase/password set in the OpenLDAP DIT for that specific user! My sshd_config looks quite common to the default sshd_conf offered with the FreeBSD sources, exept three changes:

# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


PasswordAuthentication no
ChallengeResponseAuthentication no

to force PAM doing authetication, accounting and session via LDAP results in the incapability of logging in for any user (error: pubkey/password).

In /etc/pam.d/sshd and system I have both in auth and session pam_sshd.so enabled. Without that it doesn't matter what is configured in sshd_conf, users never can login as LDAP would never check passphrase.

What is wrong? Why is PAM forcing ssh into doing authentication and accounting and session management by default although I configured PAM to do so?

Can anybody help?

Are you telling SSH to use pam_ldap in the /etc/pam.d/sshd file? As I understand it, you have told ssh to use PAM, which means it will honor what is in /etc/pam.d/sshd for its authentication. If you want ldap, you'll need the pam_ldap.so library installed and then reference that in the file. We use RADIUS and SAMBA so ours looks like:

auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_radius.so
auth            sufficient /usr/local/lib/pam_winbind.so try_first_pass
auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass



freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to