OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stephen Smoogen (smoogen_at_lanl.gov)
Date: Mon Feb 24 2003 - 12:53:28 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The main issues I have found with not being able to log in via SSH are
    due to 1 of 2 problems. Passwords/accounts are via a kdc and the
    /etc/pam.d/sshd does not look up in the correct place. Versions of
    Openssh before 3.5p1 use pam_unix.so or pam_pwbd.so

    Try the following from openssh-3.5p1

    #%PAM-1.0
    auth required pam_stack.so service=system-auth
    auth required pam_nologin.so
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth
    session required pam_limits.so
    session optional pam_console.so

    The second problem we have found has been due to some extra data that
    authconfig puts into system-auth. For our KDC environment it causes
    accounts NOT to be able to log in. The offending line is

    account [default=bad success=ok user_unknown=ignore
    service_err=ignore system_err=ignore] /lib/security/pam_krb5.so

    Changing this to

    account sufficient /lib/security/pam_krb5.so

    allowed ssh to log in, (plus cleared up some other issues with console
    logins).

    If both of these suggestions are wrong, try the following. Run sshd on a
    high port with increasing number of -d flags and try to narrow down
    what is killing the authentication.

    sshd -p 9999 -d

    is what I did to figure out things over time. After that it was adding
    debug flags to pam.d files.

    Hope this helps
    Stephen

    On Mon, 2003-02-24 at 11:23, John Oliver wrote:
    > On Mon, Feb 24, 2003 at 11:40:50AM -0500, TRUCKS, JESSE (SBCSI) wrote:
    > > You didn't post what problem you are having.
    >
    > Well, I can't log on with SSH... :-)
    >
    > > Have you checked your pam configuration?
    >
    > I know *nothing* about PAM. I've "checked the config" by comparing to
    > examples I find on the Internet.
    >
    > > Do you have any logged debug/message output?
    >
    > Nope.
    >
    > > Is SSH compiled to use PAM?
    >
    > Dunno. Does OpenSSH that comes with Red Hat come compiled with PAM? I
    > didn't realize that it might not be... I thought all authentication with
    > Red Hat was handled through PAM.
    >
    > --
    > John Oliver, CCNA http://www.john-oliver.net/
    > Linux/UNIX/network consulting http://www.john-oliver.net/resume/
    > *** sendmail, Apache, ftp, DNS, spam filtering ***
    > **** Colocation, T1s, web/email/ftp hosting ****
    >
    >
    >
    > _______________________________________________
    > Pam-list mailing list
    > Pam-listredhat.com
    > https://listman.redhat.com/mailman/listinfo/pam-list
    > 

    -- 
Stephen John Smoogen		smoogenlanl.gov
Los Alamos National Labrador  CCN-2 B-Schedule  PH: 
Ta-03 SM-261  MailStop P208 DP 17U  Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --

    _______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list