|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Steve Langasek (vorlon
debian.org)
Date: Sun Mar 07 2010 - 16:08:45 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, Mar 07, 2010 at 02:36:45PM -0500, ben thielsen wrote:
> when attempting to connect, it appears that the password is accepted but
> access is denied by the account portion of the config. below is some
> output from ssh/sshd, the syslog auth facility, and my sshd pam config.
> i'm hoping i might get some guidance on what i'm doing wrong.
<snip>
> debug1: do_pam_account: called
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
<snip>
> >egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
> auth required pam_env.so # [1]
> auth required pam_env.so envfile=/etc/default/locale
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_ldap.so use_first_pass
> auth requisite pam_deny.so
> auth required pam_permit.so
This implies that you've manually copied the contents of /etc/pam.d/common-*
into /etc/pam.d/sshd, instead of using the includes as-is. Is there a
reason for this?
> account required pam_nologin.so
> account [success=2 new_authtok_reqd=done default=ignore] pam_localuser.so #debug
> account [success=1 default=ignore] pam_ldap.so
> account requisite pam_deny.so
> account required pam_permit.so
Note that by omitting pam_unix here, sshd won't honor password expiry set
for any local accounts.
Have you tried adding 'debug' to the pam_ldap line here? Was there any more
log output when the 'debug' option was passed to pam_localuser (which you
seem to have added, then commented out)?
The output and PAM config suggest the problem is most likely with the
pam_ldap module, but so far there's insufficient information to say what the
problem is.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasekubuntu.com vorlondebian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBS5Qj7FaNMPMhshM9AQgArg/+M2XU/JH9chcnGXo7acIraBt/A3GZ/PeA
GlKSm1XOWDNXp9cxZLmPcOfMwW7EMxydtBq4xRWD0D56DeOALqDqwa9OateEqZcB
CydhTn8gwmnoPo9UqYguo2IxB4dw5T1mJWxf2xN6YkaunQEicK7H48eVoDojr5U+
xofwzBkFNt9bol0JiWq42onlKrkIeQR4hUrZ1HAOPbOZQK4YfqZepkQceU3Siw/I
2W47GM5cJkZm0gq2Pf18J9KNYl58VtPwzl7pdhVuM8mDo1v/nTsxNdgKydZ+Tv4z
EEyMw9dQdrgAyH7nuIJ9UoDIPiOjoW/ze7OvclJ6mU9MQaKqvGBfABTCYLXgPQK9
m3x+0PFBqU06d8w1RtUbfpGErdBzZhQF3q9doknhNkKOMSdRqKIYmAEzxyUiujG7
IMCAOVZ2fFJnoO9bI1TOWqvyu8o7dVXTaHOa/xfVKySb054VvjEPTdvEGvp4JH8o
ijFI+htfAuI1Ab6pXAzT2ruhGGM3GlfQepDjrTzPEvGolNNC9P2rH0XxJZVeJqaL
t06WCiKhCU6AJwrxbP6x14mleSwIjyLytab9TkxSaCpBI/78ghJQm1RrC9emkLbP
2fTvBRpE05B05KQCrbtay2h2bPtmHBhV0Ht+i6thO65PuqCmYi6IXCNBSMXkGTpt
+s9DvZbbmiM=
=Bc33
-----END PGP SIGNATURE-----
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]