# [RESOLVED] LDAP PAM(Maybe) SSH

## M1Sports20

Ok here is what I want to do

I want to allow a certain group of people in LDAP(group call SSH) to be able to ssh into the machine.

Can I use Pam with LDAP to do this.  Or do I have to compile SSH with the LDAP use flag.

If I have to do the later how do I config it.  I tried this with my SSHD_CONFIG file

```

# here are the new patched ldap related tokens

# entries in your LDAP must have posixAccount & ldapPublicKey objectclass

UseLPK yes

#LpkLdapConf /etc/ldap.conf

LpkServers  ldaps://127.0.0.1:636 ldap://127.0.0.1

#LpkUserDN   ou=people,dc=example,dc=com  # MS this has to be a person

LpkGroupDN  ou=ssh,ou=people,dc=example,dc=com

#LpkBindDN cn=admin,dc=example,dc=com

#LpkBindPw dontthinkineedtobindthisway 

#LpkForceTLS no

```

I also don't know where to look for debug output,  This is the only one i found to change(/var/log/auth.log)

After logging in with mary it says this

```

Apr 22 22:26:42 MSServer sshd(pam_unix)[25146]: check pass; user unknown

Apr 22 22:26:42 MSServer sshd(pam_unix)[25146]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net 

Apr 22 22:26:42 MSServer sshd[1893]: error: PAM: Authentication service cannot retrieve authentication info. for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net

```

Just to let you know LDAP is working and I have even have pam working with ldap.  I just dont' want ever user in ldap to be able to log in.  Is there a way just for a group called ssh to log in?

Any help would be great.  ThanksLast edited by M1Sports20 on Mon Apr 24, 2006 6:26 am; edited 1 time in total

----------

## M1Sports20

bump

i think it might have to have something to do with the ldapPublicKey objectclass

i don't see this scheme.  Did the maintainer forget to include this with the lpk patch for openssh

----------

## wellwhoopdedooo

I don't think you need to compile in LDAP support.

Make your /etc/pam.d/sshd look similar to this:

```
#%PAM-1.0

auth       include      system-auth

auth       required     pam_shells.so

auth       required     pam_nologin.so

auth       required     pam_wheel.so group=ssh

account    include      system-auth

password   include      system-auth

session    include      system-auth
```

The fourth line (sixth if you count the #%PAM-1.0 and blank) is the one to pay attention to. I haven't tested this at all, but I think that'll work.

----------

## M1Sports20

Yes that does work and I have it working through SSH woring through pam with ldap.

But I want only a certian group of users in ldap to be able to ssh into the box.  Is this possible this way.

I figured if I compiled LDAP in SSH I could use the LPK patch and allow a certain group.  But I haven't been able to get this to work.

If what im trying to do is possible with pam I would do that too.

Thanks for answering

----------

## wellwhoopdedooo

Yes, that's what the the 4th line is:

```
auth       required     pam_wheel.so group=ssh
```

It requires that the user belongs to the specified group for authorization to continue. Make sure there's no "auth sufficient" above it, and it should work.

----------

## M1Sports20

O i get it, the group=ssh part.

I'll try it soon and let you know how it works

----------

## M1Sports20

Well it didn't work,  It still allows all LDAP users to ssh

heres my pam.d config

/etc/pam.d/system-auth

```

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    sufficient   pam_ldap.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

```

/etc/pamd.d/sshd

```

auth       include      system-auth

auth       required     pam_shells.so

auth       required     pam_nologin.so

auth       required     pam_wheel.so group=ssh

account    include      system-auth

password   include      system-auth

session    include      system-auth

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077

```

----------

## wellwhoopdedooo

Ohhh, right... when PAM hits a succesful "sufficent" rule, it stops procssing and allows auth. Hmm... maybe you could change your sshd to this:

```
auth       required     pam_shells.so

auth       required     pam_nologin.so

auth       required     pam_wheel.so group=ssh

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    include      system-auth

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077
```

See how the "auth include system-auth" is at the bottom?

BTW, I just tested it on my system, works fine. Actually, your question pointed out a possible security hole on my side, so I should be thanking you. So, thank you  :Smile: 

----------

## M1Sports20

hmm still doesn't work for me.  Here is my new system-auth and sshd pam files.  I have also included a log file

system-auth

```
# this is to lockout password users with many password attempt, except root

auth       required     pam_tally.so    onerr=fail no_magic_root

# set env vars

auth       required     pam_env.so

# can add nodelay the following option to stop that 1 sec delay

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

# this is to lockout password users with 5 password attempt, except root

account    required     pam_tally.so    deny=5  reset   no_magic_root

account    sufficient   pam_ldap.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok smd5 shadow use_authtok

password   sufficient   pam_ldap.so use_authtok

password   required     pam_deny.so

# create home dirs if they don't exist

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

```

sshd

```

auth       required     pam_shells.so

auth       required     pam_nologin.so

auth       required     pam_wheel.so    group=ssh

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    include      system-auth

```

auth.log

```

Apr 23 19:00:56 MSServer sshd(pam_unix)[12626]: check pass; user unknown

Apr 23 19:00:56 MSServer sshd(pam_unix)[12626]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net 

Apr 23 19:00:58 MSServer sshd[29019]: error: PAM: Error in service module for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net

Apr 23 19:01:03 MSServer sshd(pam_unix)[19727]: check pass; user unknown

Apr 23 19:01:03 MSServer sshd(pam_unix)[19727]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net 

Apr 23 19:01:05 MSServer sshd[29019]: error: PAM: Error in service module for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net

Apr 23 19:02:45 MSServer sshd(pam_unix)[32753]: check pass; user unknown

Apr 23 19:02:45 MSServer sshd(pam_unix)[32753]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net 

Apr 23 19:02:47 MSServer sshd[9324]: error: PAM: Error in service module for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net

Apr 23 19:04:29 MSServer sshd[9324]: fatal: Timeout before authentication for 69.210.97.133

```

id mary

```

uid=10000(mary) gid=100(users) groups=100(users),10000(ssh)

```

Thanks for all your help.  I am new with PAM.  With your help and additional reading I have learned so much

----------

## M1Sports20

here is the output if I put debug on the line with:

     auth required pam_wheel.so group=ssh debug

```

Apr 23 19:37:51 MSServer PAM-Wheel[794]: who is running me ?!

Apr 23 19:38:00 MSServer sshd(pam_unix)[794]: check pass; user unknown

Apr 23 19:38:00 MSServer sshd(pam_unix)[794]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-69-210-97-133.dsl.milwwi.ameritech.net 

Apr 23 19:38:03 MSServer sshd[8099]: error: PAM: Error in service module for mary from adsl-69-210-97-133.dsl.milwwi.ameritech.net

Apr 23 19:38:03 MSServer PAM-Wheel[16997]: who is running me ?!

```

----------

## M1Sports20

bump

doesn't anyone know why this doesn't work

I have seen other people have done this with redhat

----------

## M1Sports20

OK so If anyone wanted to know I found a work around.

emerge pam_require    # as of today it is in the unstable branch

then add this line to ssh like the following to allow only the ssh group to ssh into a computer

account      required     pam_require.so    @ssh

if you want to allow just a user type this

account      required     pam_require.so    root

so my final configs look like the following

/etc/pam.d/ssh

```

#%PAM-1.0

auth       required     pam_shells.so

auth       required     pam_nologin.so

#auth      required     pam_wheel.so    group=ssh debug use_uid

auth       include      system-auth

account      required     pam_require.so    @ssh

account    include      system-auth

password   include      system-auth

session    include      system-auth

```

/etc/pam.d/system-auth ( a lot of extra stuff for other purposes), the orignal should work if using just flat files

```

#%PAM-1.0

# this is to lockout password users with many password attempt, except root

auth       required     pam_tally.so    onerr=fail no_magic_root

# set env vars

auth       required     pam_env.so

# can add nodelay the following option to stop that 1 sec delay

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

# this is to lockout password users with 5 password attempt, except root

account    required     pam_tally.so    deny=5  reset   no_magic_root

account    sufficient   pam_ldap.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok smd5 shadow use_authtok

password   sufficient   pam_ldap.so use_authtok

password   required     pam_deny.so

# create home dirs if they don't exist

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

```

----------

