[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSH and LDAP problem



I had the same problem. Try putting UsePAM=yes into sshd_config. I am running RedHat 9.

David Moron wrote:

The PAMAuthenticationViaKbdInt is set to 'yes' but it doesn't work.

Why when I start slapd root can't login via ssh if root is in /etc/passwd!?
In nsswitch.conf I define first 'files' and then 'ldap'. It's a very extrange problem.


Thank you.

David Morón Ruano


L Nehring wrote:

I may have missed your previous post, but have you tried setting this line /etc/ssh/sshd_config?

PAMAuthenticationViaKbdInt yes

This is what it took so that my ldap users could authenticate using SSH without being listed in /etc/passwd. There is a warning comment in the sshd_config file about this setting, but in my case it does not affect my security model.

r,
Lance
http://www.newparticles.com/


David Moron wrote:

Craig White wrote:

On Mon, 2004-01-05 at 06:35, David Moron wrote:


Hi,

I,ve installed openldap 2.1.25 on a Debian 3.0 in order to authenticate the users with PAM.
I configured all the services (proftpd, su, passwd ,etc) in order to use PAM to access the ldap server and they work properly. When I try using ssh:
- If the user is in /etc/passwd: ssh asks for password and then closes the connection:
#ssh -l admin 10.0.0.80
admin@10.0.0.80's password:
Connection closed by 10.0.0.80
- If the user is in the ldap: ssh closes the connection directly: #ssh -l testldap 10.0.0.80
Connection closed by 10.0.0.80
- When I stop the ldap then I con login via ssh as a /etc/passwd user without problems.



--- sounds like the ldap user doesn't have a valid shell to operate in...

getent passwd |grep admin

admin in /etc/passwd has a valid shell /bin/sh ?
admin in ldap has invalid shell or no shell at all

just a guess

Craig



It isn't the problem :-( because I can do:
$su - testldap
passwd:
testldap$ id
uid=1004(testldap) gid=1003(test) grupos=1003(test)
And the shell exists.

Why when I start slapd root can't login via ssh!? In nsswitch.conf I define first 'files' and then 'ldap'

My testldap user entry:
# testldap, People, openwired.net
dn: uid=testldap,ou=People,dc=openwired,dc=net
loginShell: /bin/bash <-- exists
sambaAcctFlags: [U          ]
gidNumber: 1003
uidNumber: 1004
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: mailRecipient
uid: testldap
cn: testldap
homeDirectory: /home/testldap
shadowLastChange: 12422