Authentication problems with ldap

Dan Yefimov dan at nf15.lightwave.net.ru
Mon Sep 22 22:52:49 UTC 2008


On Mon, 22 Sep 2008, Lynn York wrote:

> I attempted to use the same config as listed below and I am still running
> into issues.  I do not see anything in /var/log/secure or /var/log/messages.
> Here is the auth. part of my ssh debug log:
> 
>  
> 
> [snippet ]
> 
>  
> 
> debug1: PAM: initializing for "lyork"
> 
> debug3: Normalising mapped IPv4 in IPv6 address
> 
> debug3: Trying to reverse map address 127.0.0.1.
> 
> debug1: PAM: setting PAM_RHOST to "cent-os-2"
> 
> debug1: PAM: setting PAM_TTY to "ssh"
> 
> debug2: monitor_read: 46 used once, disabling now
> 
> debug3: mm_request_receive entering
> 
> debug3: monitor_read: checking request 3
> 
> debug3: mm_answer_authserv: service=ssh-connection, style=
> 
> debug2: monitor_read: 3 used once, disabling now
> 
> debug3: mm_request_receive entering
> 
> debug3: monitor_read: checking request 4
> 
> debug3: mm_answer_authrole: role=
> 
> debug2: monitor_read: 4 used once, disabling now
> 
> debug3: mm_request_receive entering
> 
> debug1: userauth-request for user lyork service ssh-connection method
> publickey
> 
> debug1: attempt 1 failures 1
> 
> debug2: input_userauth_request: try method publickey
> 
> debug1: test whether pkalg/pkblob are acceptable
> 
> debug3: mm_key_allowed entering
> 
> debug3: mm_request_send entering: type 21
> 
> debug3: monitor_read: checking request 21
> 
> debug3: mm_answer_keyallowed entering
> 
> debug3: mm_answer_keyallowed: key_from_blob: 0x80983b8
> 
> debug1: temporarily_use_uid: 3000/3000 (e=0/0)
> 
> debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
> 
> debug3: mm_request_receive_expect entering: type 22
> 
> debug3: mm_request_receive entering
> 
> debug1: trying public key file /home/lyork/.ssh/authorized_keys
> 
> debug1: restore_uid: 0/0
> 
> debug1: temporarily_use_uid: 3000/3000 (e=0/0)
> 
> debug1: trying public key file /home/lyork/.ssh/authorized_keys2
> 
> debug1: restore_uid: 0/0
> 
> debug3: Normalising mapped IPv4 in IPv6 address
> 
> Failed publickey for lyork from 127.0.0.1 port 1199 ssh2
> 
> debug3: mm_answer_keyallowed: key 0x80983b8 is disallowed
> 
> debug3: mm_request_send entering: type 22
> 
> debug3: mm_request_receive entering
> 
> debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
> 
> debug1: userauth-request for user lyork service ssh-connection method
> password
> 
> debug1: attempt 2 failures 2
> 
> debug2: input_userauth_request: try method password
> 
> debug3: mm_auth_password entering
> 
> debug3: mm_request_send entering: type 11
> 
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> 
> debug3: mm_request_receive_expect entering: type 12
> 
> debug3: mm_request_receive entering
> 
> debug3: monitor_read: checking request 11
> 
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> 
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> 
> debug1: PAM: password authentication failed for lyork: Authentication
> failure
> 
> debug3: mm_answer_authpassword: sending result 0
> 
> debug3: mm_request_send entering: type 12
> 
> Failed password for lyork from 127.0.0.1 port 1199 ssh2
> 
> [end snippet]
> 
If you use OpenSSH, you must enable Keyboard-Interactive authentication and 
disable password authentication in order for PAM to be used for authentication.
But given other messages on the subject in the list, following questions should 
be asked. Is the correct POSIX schema applied to your directory tree? Are 
correct POSIX attribute values (especially password ones) assigned to user 
objects?
-- 

    Sincerely Your, Dan.




More information about the Pam-list mailing list