# logowanie ssh w oparciu o PAM i baze LDAP

## BORZO

Witam

mam problem z logowaniem sie na serwer przez uzytkownikow bazy LDAP poprzez SSH. Jedynym uzytkownikiem mogacym sie zalogowac jest root. Moze ktos z Was spotkal sie z takim problemem i jest mi w stanie pomoc. Co dziwne w przypadku logowania uzytkownika znajdujacego sie w bazie LDAP i wpisaniu poprawnego hasla polaczenie z serwerem po prostu jest rozlaczane, natomiast po wpisaniu blednego hasla widnieje Authentication succeeded a zaraz potem access denied.Uzytkownicy istnieja tylko w bazie LDAP. Ponizej informacje z logowania przez SSH

Pierwszy przyklad haslo poprawne:

```
debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to charon [192.168.10.2] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2

debug1: match: OpenSSH_4.2 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'charon' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:4

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Next authentication method: keyboard-interactive

Password:

debug1: Authentication succeeded (keyboard-interactive).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_GB.UTF-8

debug1: channel 0: free: client-session, nchannels 1

Connection to charon closed by remote host.

Connection to charon closed.

debug1: Transferred: stdin 0, stdout 0, stderr 75 bytes in 0.1 seconds

debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 667.9

debug1: Exit status -1
```

Drugi bledne haslo:

```

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to charon [192.168.10.2] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2

debug1: match: OpenSSH_4.2 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'charon' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:4

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Next authentication method: keyboard-interactive

Password:

debug1: Authentications that can continue: publickey,keyboard-interactive

Password:

debug1: Authentications that can continue: publickey,keyboard-interactive

Password:

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: No more authentication methods to try.

Permission denied (publickey,keyboard-interactive).
```

Moja konfiguracja OpenSSH:

```

#Port 22

Protocol 2

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel VERBOSE

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# ChallengeResponseAuthentication=no

UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

#Banner /some/path

Subsystem       sftp    /usr/lib/misc/sftp-server

IgnoreRhosts yes

IgnoreUserKnownHosts no

PrintMotd yes

StrictModes yes

RSAAuthentication yes

PermitRootLogin yes

PermitEmptyPasswords no

```

oraz /etc/pam.d/sshd

```
#%PAM-1.0

auth       include      system-auth

auth       required     pam_shells.so

auth       required     pam_nologin.so

account    include      system-auth

password   include      system-auth

session    include      system-auth

```

zaznaczam ze plik /etc/nologin nie istnieje wiec nie ma mowy ze blokuje logowanie innych uzytkownikow niz root

i /etc/pam.d/system-auth

```
#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    required     pam_unix.so

account    sufficient   pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 type=

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

```

Dzieki z gory za wszelka pomoc

----------

## Kurt Steiner

Moved from Instalacja i sprzęt to Polish.

----------

## Raku

 *BORZO wrote:*   

> 
> 
> ```
> 
> account    required     pam_unix.so
> ...

 

a jak dasz s/required/sufficient ?

----------

## BORZO

Niestety nie dziala. Dodatkowo logi z /var/log/message

```
Apr 24 10:20:55 charon sshd(pam_unix)[27065]: session opened for user ldapuser by (uid=0)

Apr 24 10:20:55 charon slapd[26989]: conn=63 fd=21 ACCEPT from IP=127.0.0.1:51481 (IP=0.0.0.0:389)

Apr 24 10:20:55 charon slapd[26989]: conn=63 op=0 BIND dn="" method=128

Apr 24 10:20:55 charon slapd[26989]: conn=63 op=0 RESULT tag=97 err=0 text=

Apr 24 10:20:55 charon slapd[26989]: conn=63 op=1 SRCH base="ou=Machines,dc=koleman,dc=local" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ldapuser))"

Apr 24 10:20:55 charon slapd[26989]: conn=63 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 24 10:20:55 charon slapd[26989]: conn=63 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

Apr 24 10:20:55 charon slapd[26989]: conn=63 op=2 SRCH base="ou=Users,dc=koleman,dc=local" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ldapuser))"

Apr 24 10:20:55 charon slapd[26989]: conn=63 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

[color=red]Apr 24 10:20:55 charon sshd[27059]: nss_ldap: could not search LDAP server - Server is unavailable

Apr 24 10:20:55 charon sshd[27059]: fatal: login_get_lastlog: Cannot find account for uid 1162[/color]

Apr 24 10:20:55 charon slapd[26989]: conn=63 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 24 10:20:55 charon slapd[26989]: conn=63 fd=21 closed (connection lost)

Apr 24 10:20:55 charon sshd[27059]: syslogin_perform_logout: logout() returned an error

Apr 24 10:20:55 charon sshd(pam_unix)[27065]: session closed for user ldapuser

```

dziwne bo serwer LDAP-a dziala, na Debianie uzytkownicy moga sie logowac przez SSH w oparciu o ta sama baze LDAP. Nie wiem dlaczego tylko ssh serwer ma problemy z polaczeniem do bazy przez nss_ldap

----------

## qermit

 *BORZO wrote:*   

> Niestety nie dziala. Dodatkowo logi z /var/log/message
> 
> ```
> Apr 24 10:20:55 charon sshd[27059]: nss_ldap: could not search LDAP server - Server is unavailable
> 
> ...

 

najporawdopodobniej nie masz skonfigurowanego /etc/libnss-ldap.conf

jeżeli chcesz sprawdzić czy działa tobie nss z ldap to zrób sobie getent passwd

----------

## BORZO

no wlasnie wszystko dziala getent passwd i getent group pobieraja wpisy z bazy ldap

----------

