On Dec 16, 2007, at 7:06 AM, O. Hartmann wrote:
I use FreeBSD 7.0-BETA on servral boxes with different architectures
(i386/amd64). Users within our network have to autheticate against
an OpenLDAP Server via PAM. I have the annoying problem that every
user getting autenticated needs a public key and the passphrase set
in the ssh public key is the passphrase that authenticates the user
- not the passphrase/password set in the OpenLDAP DIT for that
specific user! My sshd_config looks quite common to the default
sshd_conf offered with the FreeBSD sources, exept three changes:
# Change to yes to enable built-in password authentication.
# Change to no to disable PAM authentication
# Kerberos options
# GSSAPI options
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
to force PAM doing authetication, accounting and session via LDAP
results in the incapability of logging in for any user (error:
In /etc/pam.d/sshd and system I have both in auth and session
pam_sshd.so enabled. Without that it doesn't matter what is
configured in sshd_conf, users never can login as LDAP would never
What is wrong? Why is PAM forcing ssh into doing authentication and
accounting and session management by default although I configured
PAM to do so?
Can anybody help?
Are you telling SSH to use pam_ldap in the /etc/pam.d/sshd file? As I
understand it, you have told ssh to use PAM, which means it will honor
what is in /etc/pam.d/sshd for its authentication. If you want ldap,
you'll need the pam_ldap.so library installed and then reference that
in the file. We use RADIUS and SAMBA so ours looks like:
auth required pam_nologin.so no_warn
auth sufficient pam_radius.so
auth sufficient /usr/local/lib/pam_winbind.so try_first_pass
auth sufficient pam_opie.so no_warn
auth requisite pam_opieaccess.so no_warn
auth required pam_unix.so no_warn
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"