alfa pam.d # emerge -s openssh pam_ldap Searching... [ Results for search key : openssh ] [ Applications found : 1 ] * net-misc/openssh Latest version available: 3.7.1_p2 Latest version installed: 3.7.1_p2 Size of downloaded files: 781 kB Homepage: http://www.openssh.com/ Description: Port of OpenBSD's free SSH release Searching... [ Results for search key : pam_ldap ] [ Applications found : 1 ] * net-libs/pam_ldap Latest version available: 156 Latest version installed: 156 Size of downloaded files: 112 kB Homepage: http://www.padl.com/OSS/pam_ldap.html Description: PAM LDAP Module alfa pam.d # pwd /etc/pam.d alfa pam.d # cat sshd #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_shells.so auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so serv alfa pam.d # more system-auth #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_pwdb.so audit likeauth nodelay shadow bigcrypt auth sufficient /lib/security/pam_ldap.so debug use_first_pass auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_pwdb.so audit shadow bigcrypt account sufficient /lib/security/pam_ldap.so debug account required /lib/security/pam_deny.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_pwdb.so audit use_authtok shadow bigcrypt password sufficient /lib/security/pam_ldap.so debug use_authtok use_first_pass password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session sufficient /lib/security/pam_pwdb.so session sufficient /lib/security/pam_ldap.so session required /lib/security/pam_deny.so alfa root # cat /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ alfa root # alfa pam.d # karl@alfa karl $ tail /var/log/auth.log Sep 23 20:56:53 alfa PAM_pwdb[8214]: (su) session opened for user root by karl(uid=1000) Sep 23 20:59:30 alfa PAM_pwdb[8214]: (su) session closed for user root Sep 23 20:59:32 alfa PAM_pwdb[8224]: username [root] obtained Sep 23 20:59:35 alfa PAM_pwdb[8224]: (su) session opened for user root by karl(uid=1000) Sep 23 20:59:49 alfa sshd[8272]: Server listening on :: port 22. Sep 23 20:59:49 alfa sshd[8272]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. Sep 23 20:59:51 alfa PAM_pwdb[8224]: (su) session closed for user root Sep 23 21:00:03 alfa sshd[8275]: Failed password for karl from ::ffff:127.0.0.1 port 34804 ssh2 Sep 23 21:00:07 alfa last message repeated 2 times Sep 23 21:00:15 alfa sshd[8278]: Failed password for karl from ::ffff:127.0.0.1 port 34807 ssh2 debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.7.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Bind to port 22 on 0.0.0.0 failed: Address already in use. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from ::ffff:127.0.0.1 port 34822 debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2 debug1: match: OpenSSH_3.7.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2 debug2: Network child is on pid 8448 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 22:22 debug1: permanently_set_uid: 22/22 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 127/256 debug2: bits set: 1572/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1582/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x80ac150(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user karl service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for karl debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for karl from ::ffff:127.0.0.1 port 34822 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for karl from ::ffff:127.0.0.1 port 34822 ssh2 debug1: userauth-request for user karl service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=karl devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices <empty> debug1: auth2_challenge_start: trying authentication method 'pam' debug3: mm_sshpam_init_ctx debug3: mm_request_send entering: type 46 debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX debug3: mm_request_receive_expect entering: type 47 debug3: mm_request_receive entering debug3: monitor_read: checking request 46 debug3: mm_answer_pam_init_ctx debug3: mm_request_send entering: type 47 debug3: mm_request_receive entering debug3: mm_sshpam_init_ctx: pam_init_ctx failed Failed keyboard-interactive for karl from ::ffff:127.0.0.1 port 34822 ssh2 debug1: userauth-request for user karl service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed password for karl from ::ffff:127.0.0.1 port 34822 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed password for karl from ::ffff:127.0.0.1 port 34822 ssh2 debug1: userauth-request for user karl service ssh-connection method password debug1: attempt 3 failures 3 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed password for karl from ::ffff:127.0.0.1 port 34822 ssh2 Failed password for karl from ::ffff:127.0.0.1 port 34822 ssh2 debug3: mm_request_receive entering debug1: userauth-request for user karl service ssh-connection method password debug1: attempt 4 failures 4 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed password for karl from ::ffff:127.0.0.1 port 34822 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed password for karl from ::ffff:127.0.0.1 port 34822 ssh2 Connection closed by ::ffff:127.0.0.1 debug1: Calling cleanup 0x80784e0(0x0) alfa root # Reproducible: Always Steps to Reproduce: 1. get pam_ldap, pam* and ldap working 2. emerge --update openssh 3. etc-update to new defaults Actual Results: Can't use ssh to login karl@alfa karl $ ssh localhost karl@localhost's password: Permission denied, please try again. karl@localhost's password: Permission denied, please try again. karl@localhost's password: Permission denied (publickey,password,keyboard-interactive). karl@alfa karl $ Expected Results: login via ssh should work ... karl@alfa karl $ emerge info Portage 2.0.49-r3 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.20-gentoo-r7) ================================================================= System uname: 2.4.20-gentoo-r7 i686 AMD Athlon(tm) Processor ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-mcpu=athlon-tbird -O3 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config /usr/kde/3/share/config /usr/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-mcpu=athlon-tbird -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="sandbox ccache autoaddcvs" GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 oss apm avi crypt encode foomaticdb gif jpeg libg++ mad mikmod mmx mpeg ncurses pdflib png quicktime spell truetype xml2 xmms xv zlib alsa gdbm berkdb slang readline arts tetex nas svga tcltk guile ruby postgres X sdl gpm tcpd pam libwww ssl perl python esd imlib oggvorbis gnome gtk qt kde motif opengl mozilla cdr scanner ldap cups glib java nls kerberos"
Created attachment 18234 [details] Fixed sshd_config Fix: The config file is lying! from recent message on openssh-unix-dev > Changes since OpenSSH 3.7.1p1: > ============================== > > * This release disables PAM by default. To enable it, set "UsePAM yes" in > sshd_config. Due to complexity, inconsistencies in the specification and > differences between vendors' PAM implementations we recommend that PAM > be left disabled in sshd_config unless there is a need for its use. > Sites using only public key or simple password authentication usually > have little need to enable PAM support. # $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCreds yes # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' #UsePAM yes UsePAM yes #<- THIS IS THE FIX ------------------------------------------- #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/lib/misc/sftp-server
Fix is in attachment "Fixed sshd_config"
wrangler
somebody want to put this into openssh?
Hmm... in my case the fix helped ssh to actually call LDAP, but it doesn't fix the whole problem. I still have "permision denied (publickey,password,keyboard-interactive)", while ldap reports to auth.log that bind is not correct (same bind works fine in ldapsearch). So, it's still not clear if it sis a problem of pam_ldap or sshd sends incorrect password to pam_ldap.
ok, the FIX has helped finally to fix, after I've pointed out /etc/pam.d/ssh to use ldap directly (instead of system-auth): auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so try_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password sufficient /lib/security/pam_ldap.so password required /lib/security/pam_pwdb.so use_first_pass session required /lib/security/pam_unix_session.so
I've been getting quite a few bugs on this "UsePAM yes" and ldap, is there any reason why its not on by default... It was on and working, and now I have an ebuild installed where I dont' have that on and it works fine... Quite some confusion going on, let me know whats up with this one
I suggest moving "#UsePam On" to uncommented when USE pam flags are on in the install since this is no longer broken.
openssh-3.7.1_p2-r2.ebuild fixes this problem, much thanks to Mike=) I'll let him close this one.
then the problem should be solved
