Date: Sun, 16 Dec 2007 16:06:18 +0100 From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de> To: freebsd-questions@freebsd.org Subject: PAM and OpenLDAP: Login requires always existence of SSH pubkey, why? Message-ID: <47653EEA.1090700@mail.zedat.fu-berlin.de>
next in thread | raw e-mail | index | archive | help
Hello. I use FreeBSD 7.0-BETA on servral boxes with different architectures (i386/amd64). Users within our network have to autheticate against an OpenLDAP Server via PAM. I have the annoying problem that every user getting autenticated needs a public key and the passphrase set in the ssh public key is the passphrase that authenticates the user - not the passphrase/password set in the OpenLDAP DIT for that specific user! My sshd_config looks quite common to the default sshd_conf offered with the FreeBSD sources, exept three changes: ============= # Change to yes to enable built-in password authentication. PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication yes #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes ================= Setting PasswordAuthentication no and ChallengeResponseAuthentication no to force PAM doing authetication, accounting and session via LDAP results in the incapability of logging in for any user (error: pubkey/password). In /etc/pam.d/sshd and system I have both in auth and session pam_sshd.so enabled. Without that it doesn't matter what is configured in sshd_conf, users never can login as LDAP would never check passphrase. What is wrong? Why is PAM forcing ssh into doing authentication and accounting and session management by default although I configured PAM to do so? Can anybody help? Thanks in advance, Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47653EEA.1090700>