[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Telnet and PAM



> Since you're using nss_ldap, if you use pam_unix it will find a password
> entry for all of your users -- but it will fail to authenticate users that
> are in LDAP, since AFAIK nss_ldap won't return the password field.

	I'm confused.  You're saying pam_unix will find passwords, but
won't authenticate?

Should I be using pam_unix instead of pam_pwdb?  I think I did that
yesterday and I couldn't login at the console at all.

> How do you have the PAM modules stacked in your /etc/pam.d/login file?

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_pwdb.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    sufficient   /lib/security/pam_ldap.so
session    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_limits.so

Kelli

-----Original Message-----
From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
Behalf Of Steve Langasek
Sent: Thursday, September 14, 2000 10:00 AM
To: pam-list@redhat.com
Subject: RE: Telnet and PAM


On Thu, 14 Sep 2000, Kelli Wolfe wrote:

> I've got some more information/weirdness on my Telnet problem.

> If I sit at the console, I can login with an LDAP only account
> that has a clear text password.  I cannot login with an LDAP
> account that has an encrypted password.  I also cannot login
> with an account that is in both the LDAP and the passwd files.
> I cannot telnet with any of the above accounts.  I can ssh with
> all of the accounts.

How do you have the PAM modules stacked in your /etc/pam.d/login file?
Since you're using nss_ldap, if you use pam_unix it will find a password
entry for all of your users -- but it will fail to authenticate users that
are
in LDAP, since AFAIK nss_ldap won't return the password field.

> It seems like I'm having a couple of problems with 'login'.
> I am running RedHat 6.2, so from what I understand, telnet is
> actually running login.  Login doesn't seem to be recognizing
> the {crypt} attribute on the password.  And something is
> causing remote telnet logins to immediately log back out.
> Before I started adding LDAP to the authentication, telnet
> worked just fine.

Login should have no knowledge of the {crypt} attribute: this should all be
handled inside pam_ldap.  If pam_ldap handles this correctly for ssh, I
don't
understand why it wouldn't handle it correctly for login.

Steve Langasek
postmodern programmer

> -----Original Message-----
> From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
> Behalf Of Ben Collins
> Sent: Wednesday, September 13, 2000 12:30 PM
> To: pam-list@redhat.com
> Subject: Re: Telnet and PAM
>
>
> On Wed, Sep 13, 2000 at 09:04:10AM -0500, Kelli Wolfe wrote:
> > Hello,
> >
> > I've seen in the archives where people are using Telnet
> > and PAM together, how?  I have OpenSSH authenticating
> > against OpenLDAP with nss_ldap and pam_ldat, but every
> > time I try to telnet to the machine I get the error:
> > Connection closed by foreign host.  It appears in the
> > LDAP logs to authenticate properly, but then it just
> > dies.
>
> Sounds like something is getting a segv. Could be login (do console logins
> work?), or one of the *-ldap modules, or even PAM itself.
>
> --
>  -----------=======-=-======-=========-----------=====------------=-=-----
-
> /  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux
\
> `  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com
'
>
`---=========------=======-------------=-=-----=-===-======-------=--=---'
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>





_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []