[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Telnet and PAM



I believe the pam_ldap functions for session and account basically
noops.  I included them for the sake of trying everything. =)

One more detail, when I attempt a telnet login, I get this the system log:
Sep 14 11:19:30 amitri login: exiting pam_sm_acct_mgmt 0
Sep 14 11:19:31 amitri inetd[472]: pid 11655: exit status 1

When I ssh with the same LDAP account I get this:
Sep 14 11:22:06 amitri sshd[11688]: Accepted password for josie from
10.2.7.101 port 1022
Sep 14 11:22:06 amitri sshd[11688]: Could not reverse map address
10.2.7.101.
Sep 14 11:22:06 amitri sshd[11688]: exiting pam_sm_acct_mgmt 0

The telnet login seems to bother the inetd process....?

Thank you for all the information and assistance,
Kelli

-----Original Message-----
From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
Behalf Of Steve Langasek
Sent: Thursday, September 14, 2000 11:05 AM
To: pam-list@redhat.com
Subject: RE: Telnet and PAM


On Thu, 14 Sep 2000, Kelli Wolfe wrote:

>
> > Since you're using nss_ldap, if you use pam_unix it will find a password
> > entry for all of your users -- but it will fail to authenticate users
that
> > are in LDAP, since AFAIK nss_ldap won't return the password field.

> 	I'm confused.  You're saying pam_unix will find passwords, but
> won't authenticate?

pam_unix calls getpwent(), which returns the equivalent of a line from your
password file.  If your system uses nss_ldap, then this password file entry
won't have the password in it.

> Should I be using pam_unix instead of pam_pwdb?  I think I did that
> yesterday and I couldn't login at the console at all.

At this stage, switching to pam_unix probably won't simplify the
configuration, so you probably shouldn't.  In general, I think that pam_unix
is a better choice, though.

> > How do you have the PAM modules stacked in your /etc/pam.d/login file?

> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_pwdb.so use_first_pass

This looks ok... try the ldap password first, if it fails, try pwdb.

> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_pwdb.so

> session    sufficient   /lib/security/pam_ldap.so
> session    required     /lib/security/pam_pwdb.so
> session    required     /lib/security/pam_limits.so

Can anyone comment on how pam_ldap acts as an authorization/session module?
It seems to me that the above can be simplified to read:

account   required   /lib/security/pam_unix.so
session   required   /lib/security/pam_unix.so
session   required   /lib/security/pam_limits.so

I don't /think/ that there's anything special that makes it necessary to use
pam_ldap here.  Switching to pam_unix will let you use nss_ldap in the
background to pick up the right information.

Still, I see nothing here that explains why login behaves differently from
telnet, or why login only lets some users in.

Steve Langasek
postmodern programmer

> -----Original Message-----
> From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
> Behalf Of Steve Langasek
> Sent: Thursday, September 14, 2000 10:00 AM
> To: pam-list@redhat.com
> Subject: RE: Telnet and PAM
>
>
> On Thu, 14 Sep 2000, Kelli Wolfe wrote:
>
> > I've got some more information/weirdness on my Telnet problem.
>
> > If I sit at the console, I can login with an LDAP only account
> > that has a clear text password.  I cannot login with an LDAP
> > account that has an encrypted password.  I also cannot login
> > with an account that is in both the LDAP and the passwd files.
> > I cannot telnet with any of the above accounts.  I can ssh with
> > all of the accounts.
>
> How do you have the PAM modules stacked in your /etc/pam.d/login file?
> Since you're using nss_ldap, if you use pam_unix it will find a password
> entry for all of your users -- but it will fail to authenticate users that
> are
> in LDAP, since AFAIK nss_ldap won't return the password field.
>
> > It seems like I'm having a couple of problems with 'login'.
> > I am running RedHat 6.2, so from what I understand, telnet is
> > actually running login.  Login doesn't seem to be recognizing
> > the {crypt} attribute on the password.  And something is
> > causing remote telnet logins to immediately log back out.
> > Before I started adding LDAP to the authentication, telnet
> > worked just fine.
>
> Login should have no knowledge of the {crypt} attribute: this should all
be
> handled inside pam_ldap.  If pam_ldap handles this correctly for ssh, I
> don't
> understand why it wouldn't handle it correctly for login.
>
> Steve Langasek
> postmodern programmer
>
> > -----Original Message-----
> > From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On
> > Behalf Of Ben Collins
> > Sent: Wednesday, September 13, 2000 12:30 PM
> > To: pam-list@redhat.com
> > Subject: Re: Telnet and PAM
> >
> >
> > On Wed, Sep 13, 2000 at 09:04:10AM -0500, Kelli Wolfe wrote:
> > > Hello,
> > >
> > > I've seen in the archives where people are using Telnet
> > > and PAM together, how?  I have OpenSSH authenticating
> > > against OpenLDAP with nss_ldap and pam_ldat, but every
> > > time I try to telnet to the machine I get the error:
> > > Connection closed by foreign host.  It appears in the
> > > LDAP logs to authenticate properly, but then it just
> > > dies.
> >
> > Sounds like something is getting a segv. Could be login (do console
logins
> > work?), or one of the *-ldap modules, or even PAM itself.
> >
> > --
>
  -----------=======-=-======-=========-----------=====------------=-=-----
> -
> > /  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux
> \
> > `  bcollins@debian.org  --  bcollins@openldap.org  --
bcollins@linux.com
> '
> >
> `---=========------=======-------------=-=-----=-===-======-------=--=---'
> >
> >
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list@redhat.com
> > https://listman.redhat.com/mailman/listinfo/pam-list
> >
> >
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list@redhat.com
> > https://listman.redhat.com/mailman/listinfo/pam-list
> >
>
>
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>



_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []