[Date Prev][Date Next] [Chronological] [Thread] [Top]

Host-based Authentication



Title: Host-based Authentication

Hi list,

My host-based authentication configuration is not working 100%

This is what I get when I try to login to a server using a ldap user that doesn’t have the host entry for that server:

user1@host1's password:

Access denied for this host

[user1@host1 user1]$

As you can see, after the message “Access denied for this host” I’m actually on the server!

Here is my ldap.conf (client side)

HOST <ldap server IP>

BASE dc=<mydomain>,dc=com

rootbinddn cn=Manager,dc=<mydomain>,dc=com

scope one

pam_check_host_attr yes

pam_filter objectclass=posixaccount

pam_login_attribute uid

pam_member_attribute gid

pam_password md5

nss_base_passwd         ou=People,dc=<mydomain>,dc=com?one

nss_base_shadow         ou=People,dc=<mydomain>,dc=com?one

nss_base_group          ou=Group,dc=<mydomain>,dc=com?one

nss_base_hosts          ou=Hosts,dc=<mydomain>,dc=com?one

Here is my /etc/pam.d/passwd

#%PAM-1.0

auth            sufficient      /lib/security/pam_ldap.so

auth            required        /lib/security/pam_pwdb.so shadow nullok

account         sufficient      /lib/security/pam_ldap.so

account         required        /lib/security/pam_pwdb.so

password        required        /lib/security/pam_cracklib.so retry=3 minlen=4  \

dcredit=0  ucredit=0

password        sufficient      /lib/security/pam_ldap.so use_authtok

password        required        /lib/security/pam_pwdb.so use_authtok nullok \

md5 shadow

Here is my /etc/pam.d/sshd

#%PAM-1.0

auth       required     /lib/security/pam_nologin.so

auth       sufficient   /lib/security/pam_ldap.so

auth       required     /lib/security/pam_unix_auth.so try_first_pass

account    sufficient   /lib/security/pam_ldap.so

account    required     /lib/security/pam_unix_acct.so

password   required     /lib/security/pam_cracklib.so

password   sufficient   /lib/security/pam_ldap.so

password   required     /lib/security/pam_pwdb.so use_first_pass

session    required     /lib/security/pam_unix_session.so


I know it works if I change the sshd file like this:

from

account    sufficient   /lib/security/pam_ldap.so

to

account    required   /lib/security/pam_ldap.so


However, I don’t want to do that because I can’t use the users in /etc/passwd which is pretty bad.

Does anyone had this issue and was able to resolve it?

Thanks,

Martin