Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Paul Schmehl wrote: Please don't top post. It disrupts the flow of the conversation. (See below for my response.) --On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet [EMAIL PROTECTED] wrote: Hello After having spent several hours on it I can't have a working ssh access that use PAM_LDAP on a freebsd 6/7 machine ! I have no problem on a Linux Debian etch box ... Where are we going if Linux works better than BSD ? :-) Setting up pam ldap ssh access on a FreeBSD box takes less than five minutes *after* installing the correct ports. 1) net/openldap-client 2) security/pam_ldap Then configure ldap.conf (in /usr/local/etc/) which is quite simple: host {your ldap server(s) either hostname(s) or ip(s) in a space-separate list dc (your dn) Then configure /etc/pam.d/sshd thus: authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass That's all that is needed. That's what I did , I use nss_ldap and pam_ldap since a long time now on many platforms and that is what do not work If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what the problem is. at the very last extremity why not ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
--On Thursday, March 27, 2008 11:17:26 +0100 Frank Bonnet [EMAIL PROTECTED] wrote: Setting up pam ldap ssh access on a FreeBSD box takes less than five minutes *after* installing the correct ports. 1) net/openldap-client 2) security/pam_ldap Then configure ldap.conf (in /usr/local/etc/) which is quite simple: host {your ldap server(s) either hostname(s) or ip(s) in a space-separate list dc (your dn) Then configure /etc/pam.d/sshd thus: authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass That's all that is needed. That's what I did , I use nss_ldap and pam_ldap since a long time now on many platforms and that is what do not work Time to troubleshoot. Is the ldap server reachable? Is your search base correct? Is a firewall blocking you? Is the ldap server running on a non-standard port? Something is wrong, but if you configured it the same way as I described, then the problem lies elsewhere. If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what the problem is. at the very last extremity why not ? I'm afraid I don't follow you here. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Hello After having spent several hours on it I can't have a working ssh access that use PAM_LDAP on a freebsd 6/7 machine ! I have no problem on a Linux Debian etch box ... Where are we going if Linux works better than BSD ? :-) Brian A. Seklecki wrote: On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote: Hello Brian Thanks for the quick answer but I'm still in trouble Turn on the debugging flags in the configuration file for pam_ldap in /usr/local/etc and watch the console on the system. ~BAS we I try to ssh connect to the machine I fall in a loop like the following panzer:~ ssh [EMAIL PROTECTED] Password: Old Password: Password: Old Password: Password: I am SURE the password I type works Brian A. Seklecki wrote: The problem is that the PAM libraries provide a shit-fuck-ass-worthless debug mechanisms. This only eclipsed by the terribly organized information on LDAP+NSS+PAM for FreeBSD on the web. The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. Please put this on the OpenLDAP / PADL Wiki somewhere: [EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the sshd service # # auth #auth requiredpam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass Also try: $ grep -i debug /usr/local/etc/ldap.conf #debug 1 $ grep -i debug /usr/local/etc/nss_ldap.conf #debug 1 Higher levels for fun. ~BAS On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: Hello I can't get a working sshd access using pam_ldap and nss_ldap /etc/nsswitch.conf is OK but I'm having difficulties to configure pam_ldap for a ssh access on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure the /etc/pam.d/sshd file but haven't any success (sigh!) Anyone could helps ? Thanks a lot ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Please don't top post. It disrupts the flow of the conversation. (See below for my response.) --On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet [EMAIL PROTECTED] wrote: Hello After having spent several hours on it I can't have a working ssh access that use PAM_LDAP on a freebsd 6/7 machine ! I have no problem on a Linux Debian etch box ... Where are we going if Linux works better than BSD ? :-) Setting up pam ldap ssh access on a FreeBSD box takes less than five minutes *after* installing the correct ports. 1) net/openldap-client 2) security/pam_ldap Then configure ldap.conf (in /usr/local/etc/) which is quite simple: host {your ldap server(s) either hostname(s) or ip(s) in a space-separate list dc (your dn) Then configure /etc/pam.d/sshd thus: authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass That's all that is needed. If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what the problem is. You needn't even bother creating local passwords for accounts. Just create the account without one, and with pam/ssh/ldap, they can login and use their assigned shell/do whatever you've authorized them to do. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Hello I can't get a working sshd access using pam_ldap and nss_ldap /etc/nsswitch.conf is OK but I'm having difficulties to configure pam_ldap for a ssh access on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure the /etc/pam.d/sshd file but haven't any success (sigh!) Anyone could helps ? Thanks a lot ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
The problem is that the PAM libraries provide a shit-fuck-ass-worthless debug mechanisms. This only eclipsed by the terribly organized information on LDAP+NSS+PAM for FreeBSD on the web. The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. Please put this on the OpenLDAP / PADL Wiki somewhere: [EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the sshd service # # auth #auth requiredpam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass Also try: $ grep -i debug /usr/local/etc/ldap.conf #debug 1 $ grep -i debug /usr/local/etc/nss_ldap.conf #debug 1 Higher levels for fun. ~BAS On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: Hello I can't get a working sshd access using pam_ldap and nss_ldap /etc/nsswitch.conf is OK but I'm having difficulties to configure pam_ldap for a ssh access on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure the /etc/pam.d/sshd file but haven't any success (sigh!) Anyone could helps ? Thanks a lot ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote: Hello Brian Thanks for the quick answer but I'm still in trouble Turn on the debugging flags in the configuration file for pam_ldap in /usr/local/etc and watch the console on the system. ~BAS we I try to ssh connect to the machine I fall in a loop like the following panzer:~ ssh [EMAIL PROTECTED] Password: Old Password: Password: Old Password: Password: I am SURE the password I type works Brian A. Seklecki wrote: The problem is that the PAM libraries provide a shit-fuck-ass-worthless debug mechanisms. This only eclipsed by the terribly organized information on LDAP+NSS+PAM for FreeBSD on the web. The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. Please put this on the OpenLDAP / PADL Wiki somewhere: [EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the sshd service # # auth #auth requiredpam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass Also try: $ grep -i debug /usr/local/etc/ldap.conf #debug 1 $ grep -i debug /usr/local/etc/nss_ldap.conf #debug 1 Higher levels for fun. ~BAS On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: Hello I can't get a working sshd access using pam_ldap and nss_ldap /etc/nsswitch.conf is OK but I'm having difficulties to configure pam_ldap for a ssh access on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure the /etc/pam.d/sshd file but haven't any success (sigh!) Anyone could helps ? Thanks a lot ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]