subject:"Working \/etc\/pam.d\/sshd file with pam

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

2008-03-27 Thread Frank Bonnet


Paul Schmehl wrote:
Please don't top post.  It disrupts the flow of the conversation.  (See 
below for my response.)


--On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet 
[EMAIL PROTECTED] wrote:



Hello

After having spent several hours on it I can't have a working
ssh access that use PAM_LDAP on a freebsd 6/7 machine !

I have no problem on a Linux Debian etch box ...

Where are we going if Linux works better than BSD ? :-)



Setting up pam ldap ssh access on a FreeBSD box takes less than five 
minutes *after* installing the correct ports.


1) net/openldap-client
2) security/pam_ldap

Then configure ldap.conf (in /usr/local/etc/) which is quite simple:
host {your ldap server(s) either hostname(s) or ip(s) in a 
space-separate list

dc (your dn)

Then configure /etc/pam.d/sshd thus:
authsufficient  /usr/local/lib/pam_ldap.so  no_warn 
try_first_pass


That's all that is needed.



That's what I did , I use nss_ldap and pam_ldap since a long time now
on many platforms and that is what do not work



If it doesn't work, fire up wireshark (port) or tcpdump (base) and see 
what the problem is.


at the very last extremity why not ?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

2008-03-27 Thread Paul Schmehl

--On Thursday, March 27, 2008 11:17:26 +0100 Frank Bonnet [EMAIL PROTECTED] 
wrote:


Setting up pam ldap ssh access on a FreeBSD box takes less than five
minutes *after* installing the correct ports.

1) net/openldap-client
2) security/pam_ldap

Then configure ldap.conf (in /usr/local/etc/) which is quite simple:
host {your ldap server(s) either hostname(s) or ip(s) in a
space-separate list
dc (your dn)

Then configure /etc/pam.d/sshd thus:
authsufficient  /usr/local/lib/pam_ldap.so  no_warn
try_first_pass

That's all that is needed.



That's what I did , I use nss_ldap and pam_ldap since a long time now
on many platforms and that is what do not work



Time to troubleshoot.  Is the ldap server reachable?  Is your search base 
correct?  Is a firewall blocking you?  Is the ldap server running on a 
non-standard port?


Something is wrong, but if you configured it the same way as I described, then 
the problem lies elsewhere.






If it doesn't work, fire up wireshark (port) or tcpdump (base) and see
what the problem is.


at the very last extremity why not ?



I'm afraid I don't follow you here.

--
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

2008-03-26 Thread Frank Bonnet


Hello

After having spent several hours on it I can't have a working
ssh access that use PAM_LDAP on a freebsd 6/7 machine !

I have no problem on a Linux Debian etch box ...

Where are we going if Linux works better than BSD ? :-)


Brian A. Seklecki wrote:

On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote:

Hello Brian

Thanks for the quick answer but I'm still in trouble


Turn on the debugging flags in the configuration file for pam_ldap
in /usr/local/etc and watch the console on the system.

~BAS



we I try to ssh connect to the machine I fall in a loop
like the following

panzer:~ ssh  [EMAIL PROTECTED]
Password:
Old Password:
Password:
Old Password:
Password:

I am SURE the password I type works




Brian A. Seklecki wrote:

The problem is that the PAM libraries provide a shit-fuck-ass-worthless
debug mechanisms.  This only eclipsed by the terribly organized
information on LDAP+NSS+PAM for FreeBSD on the web.

The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
Please put this on the OpenLDAP / PADL Wiki somewhere:

[EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd 



# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the sshd service
#

# auth
#auth   requiredpam_nologin.so  no_warn
#auth   sufficient  pam_opie.so no_warn
no_fake_prompts
#auth   requisite   pam_opieaccess.so   no_warn
allow_local
#auth   sufficient  pam_krb5.so no_warn
try_first_pass
#auth   sufficient  pam_ssh.so  no_warn
try_first_pass
authsufficient  /usr/local/lib/pam_ldap.so 
authrequiredpam_unix.so no_warn

try_first_pass

# account
#accountrequiredpam_krb5.so
account requiredpam_login_access.so
account required   /usr/local/lib/pam_ldap.so
ignore_authinfo_unavail ignore_unknown_user
account requiredpam_unix.so

# session
#sessionoptionalpam_ssh.so
session requiredpam_permit.so
session sufficient  /usr/local/lib/pam_ldap.so no_warn
try_first_pass

# password
#password   sufficient  pam_krb5.so no_warn
try_first_pass
passwordrequiredpam_unix.so no_warn
try_first_pass
#password required  /usr/local/lib/pam_ldap.so no_warn
try_first_pass


Also try:

$ grep -i debug /usr/local/etc/ldap.conf
#debug 1
$ grep -i debug /usr/local/etc/nss_ldap.conf
#debug 1


Higher levels for fun.

~BAS


On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:

Hello

I can't get a working sshd access using pam_ldap and nss_ldap

/etc/nsswitch.conf is OK

but I'm having difficulties to configure pam_ldap for a ssh access
on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
the /etc/pam.d/sshd file but haven't any success (sigh!)

Anyone could helps ?

Thanks a lot !


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

2008-03-26 Thread Paul Schmehl

Please don't top post.  It disrupts the flow of the conversation.  (See 
below for my response.)


--On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet 
[EMAIL PROTECTED] wrote:



Hello

After having spent several hours on it I can't have a working
ssh access that use PAM_LDAP on a freebsd 6/7 machine !

I have no problem on a Linux Debian etch box ...

Where are we going if Linux works better than BSD ? :-)



Setting up pam ldap ssh access on a FreeBSD box takes less than five 
minutes *after* installing the correct ports.


1) net/openldap-client
2) security/pam_ldap

Then configure ldap.conf (in /usr/local/etc/) which is quite simple:
host {your ldap server(s) either hostname(s) or ip(s) in a space-separate 
list

dc (your dn)

Then configure /etc/pam.d/sshd thus:
authsufficient  /usr/local/lib/pam_ldap.so  no_warn 
try_first_pass


That's all that is needed.

If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what 
the problem is.


You needn't even bother creating local passwords for accounts.  Just create 
the account without one, and with pam/ssh/ldap, they can login and use 
their assigned shell/do whatever you've authorized them to do.


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

2008-03-25 Thread Frank Bonnet


Hello

I can't get a working sshd access using pam_ldap and nss_ldap

/etc/nsswitch.conf is OK

but I'm having difficulties to configure pam_ldap for a ssh access
on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
the /etc/pam.d/sshd file but haven't any success (sigh!)

Anyone could helps ?

Thanks a lot !


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

2008-03-25 Thread Brian A. Seklecki

The problem is that the PAM libraries provide a shit-fuck-ass-worthless
debug mechanisms.  This only eclipsed by the terribly organized
information on LDAP+NSS+PAM for FreeBSD on the web.

The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
Please put this on the OpenLDAP / PADL Wiki somewhere:

[EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd 


# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the sshd service
#

# auth
#auth   requiredpam_nologin.so  no_warn
#auth   sufficient  pam_opie.so no_warn
no_fake_prompts
#auth   requisite   pam_opieaccess.so   no_warn
allow_local
#auth   sufficient  pam_krb5.so no_warn
try_first_pass
#auth   sufficient  pam_ssh.so  no_warn
try_first_pass
authsufficient  /usr/local/lib/pam_ldap.so 
authrequiredpam_unix.so no_warn
try_first_pass

# account
#accountrequiredpam_krb5.so
account requiredpam_login_access.so
account required   /usr/local/lib/pam_ldap.so
ignore_authinfo_unavail ignore_unknown_user
account requiredpam_unix.so

# session
#sessionoptionalpam_ssh.so
session requiredpam_permit.so
session sufficient  /usr/local/lib/pam_ldap.so no_warn
try_first_pass

# password
#password   sufficient  pam_krb5.so no_warn
try_first_pass
passwordrequiredpam_unix.so no_warn
try_first_pass
#password required  /usr/local/lib/pam_ldap.so no_warn
try_first_pass


Also try:

$ grep -i debug /usr/local/etc/ldap.conf
#debug 1
$ grep -i debug /usr/local/etc/nss_ldap.conf
#debug 1


Higher levels for fun.

~BAS


On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:
 Hello
 
 I can't get a working sshd access using pam_ldap and nss_ldap
 
 /etc/nsswitch.conf is OK
 
 but I'm having difficulties to configure pam_ldap for a ssh access
 on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
 the /etc/pam.d/sshd file but haven't any success (sigh!)
 
 Anyone could helps ?
 
 Thanks a lot !
 
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

2008-03-25 Thread Brian A. Seklecki


On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote:
 Hello Brian
 
 Thanks for the quick answer but I'm still in trouble

Turn on the debugging flags in the configuration file for pam_ldap
in /usr/local/etc and watch the console on the system.

~BAS


 we I try to ssh connect to the machine I fall in a loop
 like the following
 
 panzer:~ ssh  [EMAIL PROTECTED]
 Password:
 Old Password:
 Password:
 Old Password:
 Password:
 
 I am SURE the password I type works
 
 
 
 
 Brian A. Seklecki wrote:
  The problem is that the PAM libraries provide a shit-fuck-ass-worthless
  debug mechanisms.  This only eclipsed by the terribly organized
  information on LDAP+NSS+PAM for FreeBSD on the web.
  
  The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
  Please put this on the OpenLDAP / PADL Wiki somewhere:
  
  [EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd 
  
  
  # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
  #
  # PAM configuration for the sshd service
  #
  
  # auth
  #auth   requiredpam_nologin.so  no_warn
  #auth   sufficient  pam_opie.so no_warn
  no_fake_prompts
  #auth   requisite   pam_opieaccess.so   no_warn
  allow_local
  #auth   sufficient  pam_krb5.so no_warn
  try_first_pass
  #auth   sufficient  pam_ssh.so  no_warn
  try_first_pass
  authsufficient  /usr/local/lib/pam_ldap.so 
  authrequiredpam_unix.so no_warn
  try_first_pass
  
  # account
  #accountrequiredpam_krb5.so
  account requiredpam_login_access.so
  account required   /usr/local/lib/pam_ldap.so
  ignore_authinfo_unavail ignore_unknown_user
  account requiredpam_unix.so
  
  # session
  #sessionoptionalpam_ssh.so
  session requiredpam_permit.so
  session sufficient  /usr/local/lib/pam_ldap.so no_warn
  try_first_pass
  
  # password
  #password   sufficient  pam_krb5.so no_warn
  try_first_pass
  passwordrequiredpam_unix.so no_warn
  try_first_pass
  #password required  /usr/local/lib/pam_ldap.so no_warn
  try_first_pass
  
  
  Also try:
  
  $ grep -i debug /usr/local/etc/ldap.conf
  #debug 1
  $ grep -i debug /usr/local/etc/nss_ldap.conf
  #debug 1
  
  
  Higher levels for fun.
  
  ~BAS
  
  
  On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:
  Hello
 
  I can't get a working sshd access using pam_ldap and nss_ldap
 
  /etc/nsswitch.conf is OK
 
  but I'm having difficulties to configure pam_ldap for a ssh access
  on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
  the /etc/pam.d/sshd file but haven't any success (sigh!)
 
  Anyone could helps ?
 
  Thanks a lot !
 
 
  ___
  freebsd-questions@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to [EMAIL PROTECTED]
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

7 matches

Site Navigation

Mail list logo

Footer information