From owner-freebsd-questions@FreeBSD.ORG Tue Mar 25 15:33:39 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DC361065675 for ; Tue, 25 Mar 2008 15:33:39 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id DC4D08FC32 for ; Tue, 25 Mar 2008 15:33:38 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from [192.168.2.161] (soundwave.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.161]) by wingspan with esmtp; Tue, 25 Mar 2008 11:33:40 -0400 id 00056434.47E91B54.00011EB4 From: "Brian A. Seklecki" To: Frank Bonnet In-Reply-To: <47E91ACF.1040804@esiee.fr> References: <47E90D72.3060909@esiee.fr> <1206456103.18298.88.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <47E91ACF.1040804@esiee.fr> Organization: Collaborative Fusion, Inc. Date: Tue, 25 Mar 2008 11:33:38 -0400 Message-Id: <1206459218.18298.100.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailer: Evolution 2.12.3 (2.12.3-3.fc8) Cc: freebsd-questions@freebsd.org Subject: Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bseklecki@collaborativefusion.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2008 15:33:39 -0000 On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote: > Hello Brian > > Thanks for the quick answer but I'm still in trouble Turn on the debugging flags in the configuration file for pam_ldap in /usr/local/etc and watch the console on the system. ~BAS > we I try to ssh connect to the machine I fall in a loop > like the following > > panzer:~> ssh xxxxxxx@foo > Password: > Old Password: > Password: > Old Password: > Password: > > I am SURE the password I type works > > > > > Brian A. Seklecki wrote: > > The problem is that the PAM libraries provide a shit-fuck-ass-worthless > > debug mechanisms. This only eclipsed by the terribly organized > > information on LDAP+NSS+PAM for FreeBSD on the web. > > > > The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. > > Please put this on the OpenLDAP / PADL Wiki somewhere: > > > > seklecki@fucksake:/home/seklecki$ more /etc/pam.d/sshd > > > > > > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ > > # > > # PAM configuration for the "sshd" service > > # > > > > # auth > > #auth required pam_nologin.so no_warn > > #auth sufficient pam_opie.so no_warn > > no_fake_prompts > > #auth requisite pam_opieaccess.so no_warn > > allow_local > > #auth sufficient pam_krb5.so no_warn > > try_first_pass > > #auth sufficient pam_ssh.so no_warn > > try_first_pass > > auth sufficient /usr/local/lib/pam_ldap.so > > auth required pam_unix.so no_warn > > try_first_pass > > > > # account > > #account required pam_krb5.so > > account required pam_login_access.so > > account required /usr/local/lib/pam_ldap.so > > ignore_authinfo_unavail ignore_unknown_user > > account required pam_unix.so > > > > # session > > #session optional pam_ssh.so > > session required pam_permit.so > > session sufficient /usr/local/lib/pam_ldap.so no_warn > > try_first_pass > > > > # password > > #password sufficient pam_krb5.so no_warn > > try_first_pass > > password required pam_unix.so no_warn > > try_first_pass > > #password required /usr/local/lib/pam_ldap.so no_warn > > try_first_pass > > > > > > Also try: > > > > $ grep -i debug /usr/local/etc/ldap.conf > > #debug 1 > > $ grep -i debug /usr/local/etc/nss_ldap.conf > > #debug 1 > > > > > > Higher levels for fun. > > > > ~BAS > > > > > > On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: > >> Hello > >> > >> I can't get a working sshd access using pam_ldap and nss_ldap > >> > >> /etc/nsswitch.conf is OK > >> > >> but I'm having difficulties to configure pam_ldap for a ssh access > >> on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure > >> the /etc/pam.d/sshd file but haven't any success (sigh!) > >> > >> Anyone could helps ? > >> > >> Thanks a lot ! > >> > >> > >> _______________________________________________ > >> freebsd-questions@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- Brian A. Seklecki Collaborative Fusion, Inc.