RE: Telnet and PAM

[Steve Langasek <vorlon netexpress net>]

On Thu, 14 Sep 2000, Kelli Wolfe wrote:

> 
> > Since you're using nss_ldap, if you use pam_unix it will find a password
> > entry for all of your users -- but it will fail to authenticate users that
> > are in LDAP, since AFAIK nss_ldap won't return the password field.

> 	I'm confused.  You're saying pam_unix will find passwords, but
> won't authenticate?

pam_unix calls getpwent(), which returns the equivalent of a line from your
password file.  If your system uses nss_ldap, then this password file entry
won't have the password in it.

> Should I be using pam_unix instead of pam_pwdb?  I think I did that
> yesterday and I couldn't login at the console at all.

At this stage, switching to pam_unix probably won't simplify the
configuration, so you probably shouldn't.  In general, I think that pam_unix
is a better choice, though.

> > How do you have the PAM modules stacked in your /etc/pam.d/login file?

> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_pwdb.so use_first_pass

This looks ok... try the ldap password first, if it fails, try pwdb.

> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_pwdb.so

> session    sufficient   /lib/security/pam_ldap.so
> session    required     /lib/security/pam_pwdb.so
> session    required     /lib/security/pam_limits.so

Can anyone comment on how pam_ldap acts as an authorization/session module?
It seems to me that the above can be simplified to read:

account   required   /lib/security/pam_unix.so
session   required   /lib/security/pam_unix.so
session   required   /lib/security/pam_limits.so

I don't /think/ that there's anything special that makes it necessary to use
pam_ldap here.  Switching to pam_unix will let you use nss_ldap in the
background to pick up the right information.

Still, I see nothing here that explains why login behaves differently from
telnet, or why login only lets some users in.

Steve Langasek
postmodern programmer

> -----Original Message-----
> From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
> Behalf Of Steve Langasek
> Sent: Thursday, September 14, 2000 10:00 AM
> To: pam-list@redhat.com
> Subject: RE: Telnet and PAM
> 
> 
> On Thu, 14 Sep 2000, Kelli Wolfe wrote:
> 
> > I've got some more information/weirdness on my Telnet problem.
> 
> > If I sit at the console, I can login with an LDAP only account
> > that has a clear text password.  I cannot login with an LDAP
> > account that has an encrypted password.  I also cannot login
> > with an account that is in both the LDAP and the passwd files.
> > I cannot telnet with any of the above accounts.  I can ssh with
> > all of the accounts.
> 
> How do you have the PAM modules stacked in your /etc/pam.d/login file?
> Since you're using nss_ldap, if you use pam_unix it will find a password
> entry for all of your users -- but it will fail to authenticate users that
> are
> in LDAP, since AFAIK nss_ldap won't return the password field.
> 
> > It seems like I'm having a couple of problems with 'login'.
> > I am running RedHat 6.2, so from what I understand, telnet is
> > actually running login.  Login doesn't seem to be recognizing
> > the {crypt} attribute on the password.  And something is
> > causing remote telnet logins to immediately log back out.
> > Before I started adding LDAP to the authentication, telnet
> > worked just fine.
> 
> Login should have no knowledge of the {crypt} attribute: this should all be
> handled inside pam_ldap.  If pam_ldap handles this correctly for ssh, I
> don't
> understand why it wouldn't handle it correctly for login.
> 
> Steve Langasek
> postmodern programmer
> 
> > -----Original Message-----
> > From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
> > Behalf Of Ben Collins
> > Sent: Wednesday, September 13, 2000 12:30 PM
> > To: pam-list@redhat.com
> > Subject: Re: Telnet and PAM
> >
> >
> > On Wed, Sep 13, 2000 at 09:04:10AM -0500, Kelli Wolfe wrote:
> > > Hello,
> > >
> > > I've seen in the archives where people are using Telnet
> > > and PAM together, how?  I have OpenSSH authenticating
> > > against OpenLDAP with nss_ldap and pam_ldat, but every
> > > time I try to telnet to the machine I get the error:
> > > Connection closed by foreign host.  It appears in the
> > > LDAP logs to authenticate properly, but then it just
> > > dies.
> >
> > Sounds like something is getting a segv. Could be login (do console logins
> > work?), or one of the *-ldap modules, or even PAM itself.
> >
> > --
> >  -----------=======-=-======-=========-----------=====------------=-=-----
> -
> > /  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux
> \
> > `  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com
> '
> >
> `---=========------=======-------------=-=-----=-===-======-------=--=---'
> >
> >
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list@redhat.com
> > https://listman.redhat.com/mailman/listinfo/pam-list
> >
> >
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list@redhat.com
> > https://listman.redhat.com/mailman/listinfo/pam-list
> >
> 
> 
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>