# [SOLVED] SSH logins don't use PAM sshd or system-auth

## kres

I've got SSH and LDAP set up on a box. LDAP passthrough on SSH works like a charm.

I have the pam_mkhomedir entry in my system-auth per RTFM:

/etc/pam.d/system-auth

```

auth            required        pam_env.so

auth            sufficient      pam_ldap.so

auth            required        pam_unix.so try_first_pass likeauth nullok

auth            optional        pam_permit.so

account         sufficient      pam_ldap.so 

account         required        pam_unix.so

account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        required        pam_ldap.so

password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow 

password        optional        pam_permit.so

session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022 debug

session         required        pam_limits.so

session         required        pam_env.so

session         sufficient      pam_ldap.so

session         required        pam_unix.so

session         optional        pam_permit.so

```

Notice that debug statement at the end of the pam_mkhomedir, it's my trip wire. What I've been able to see is that system-auth never fires when I login to the system via ssh with either an LDAP user or a local user. In fact I've NEVER seen an ssh login trip anyone of my /etc/pam.d/configs.

CLI

```

mymac:~ melocal$ ssh joeuser@10.46.10.151

Last login: Mon Dec  5 13:18:22 2016 from 10.3.16.125

Could not chdir to home directory /home/joeuser: No such file or directory

joeuser@brown_app_aws / $ 

```

However, if I sudo or su to a new user once logged in, then BANG - the system-auth fires pam_mkhomedir.so does it's job (or evaluates the situation) and the new user gets their directory if they didn't all ready and I get a debug statement in my secure.log.

/var/log/secure.log

```

Dec  5 13:44:57 brown_app_aws sudo[3952]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/su - joeuser

Dec  5 13:44:57 brown_app_aws sudo[3952]: pam_mkhomedir(sudo:session): Home directory /root already exists.

Dec  5 13:44:57 brown_app_aws su[3954]: Successful su for joeuser by root

Dec  5 13:44:57 brown_app_aws su[3954]: + /dev/pts/0 root:joeuser

Dec  5 13:44:57 brown_app_aws su[3954]: pam_mkhomedir(su:session): Executing mkhomedir_helper.

Dec  5 13:44:58 brown_app_aws su[3954]: pam_mkhomedir(su:session): mkhomedir_helper returned 0

```

CLI

```

brown_app_aws ~ # sudo su - joeuser

Creating directory '/home/joeuser'.

```

I've tried to drop the pam_mkhomedir.so in sshd, system-login, basically everywhere I can think, and it never triggers with sshd logins. (Use flags verified with SSH PAM support, btw)

Thoughts?

----------

## kres

Found it.

 MAN sshd_config

```

     UsePAM  Enables the Pluggable Authentication Module interface.  If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication

             in addition to PAM account and session module processing for all authentication types.

             Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or

             ChallengeResponseAuthentication.

             If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user.  The default is “no”.

```

On a freeBSD system, or other systems the default is "yes".

Because of that, if you want to have PAM and SSHD work together in Gentoo, you have to have explicitly have the following line in your /etc/ssh/sshd_config file:

```
 UsePAM yes
```

PEBKAC - Too many disto's under the belt.

----------

