[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
rootbinddn & passwd as root
I am having probems configuring PAM. su was giving me trouble but I tackled that by adding:
auth sufficient /lib/security/pam_rootok.so
Is this acceptable? Does it introduce any security holes?
I am also having trouble with passwd.
* users can change their own ldap passwords
* root can change his/her own password fine
* root can _NOT_ change users passwords
* uncomment of rootbinddn (in ldap.conf) results in no one being
able to login via sshd,imap or pop.
(yes, ldap.secret does exist with correct manager pw)
Here is some pam config files:
[root@betamax pam.d]# cat passwd
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so debug
auth required /lib/security/pam_unix_auth.so use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_ldap.so try_first_pass
password required /lib/security/pam_unix.so md5 shadow
try_first_pass
[root@betamax pam.d]# cat imap
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_unix_session.so
[root@betamax pam.d]# cat pop
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_unix_session.so
[root@betamax pam.d]# cat sshd
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
Here is "rootbinddn" commented (works if correct pw is supplied, as expected):
[root@betamax pam.d]# passwd caylan
Changing password for user caylan.
Enter login(LDAP) password:
Password change aborted
passwd: User not known to the underlying authentication module
Here is "rootbinddn" uncommented and live w/ a good ldap.secret file:
[root@betamax pam.d]# passwd caylan
Changing password for user caylan.
passwd: User not known to the underlying authentication module
Here is a debugged ssh/sshd session running locally (sshd side):
[root@betamax pam.d]# sshd -d -p 6699
debug1: sshd version OpenSSH_3.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 6699 on 0.0.0.0.
Server listening on 0.0.0.0 port 6699.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 58727
debug1: Client protocol version 2.0; client software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 123/256
debug1: bits set: 1639/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1651/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user caylan service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "caylan"
debug1: PAM setting rhost to "localhost.localdomain"
Failed none for caylan from 127.0.0.1 port 58727 ssh2
debug1: userauth-request for user caylan service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=caylan devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for caylan from 127.0.0.1 port 58727 ssh2
# I just connected using `ssh caylan@localhost -p 6699`
# Typed in correct password and this...
debug1: userauth-request for user caylan service ssh-connection methodpassword
debug1: attempt 2 failures 2
debug1: PAM Password authentication for "caylan" failed[7]: Authentication failure
Failed password for caylan from 127.0.0.1 port 58727 ssh2
# Typed in a wrong password for giggles.
debug1: userauth-request for user caylan service ssh-connection method password
debug1: attempt 3 failures 3
debug1: PAM Password authentication for "caylan" failed[7]: Authentication failure
Failed password for caylan from 127.0.0.1 port 58727 ssh2
=== END OF DEBUG ===
I assume that since I started this under username "caylan" it could not
access ldap.secret. But ldap.secret is owned by root w/ permissions of
600. I keep running around in circles not getting much accomplished!!! :(
I would really like to understand why in the world rootbinddn would effect
sshd and other regular user logins? Not to mention how to fix this weird
problem I am having!
Thanks guys/gals, happy FRIDAY!!!
Caylan Van Larson
Unix Administrator - Systems Team Member
University of North Dakota (Aerospace College)
caylan@cs.und.edu
701-777-6151 (work)