Hi list,
My host-based authentication configuration is not working 100%
This is what I get when I try to login to a server using a ldap user that doesn’t have the host entry for that server:
user1@host1's password:
Access denied for this host
[user1@host1 user1]$
As you can see, after the message “Access denied for this host” I’m actually on the server!
Here is my ldap.conf (client side)
HOST <ldap server IP>
BASE dc=<mydomain>,dc=com
rootbinddn cn=Manager,dc=<mydomain>,dc=com
scope one
pam_check_host_attr yes
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
nss_base_passwd ou=People,dc=<mydomain>,dc=com?one
nss_base_shadow ou=People,dc=<mydomain>,dc=com?one
nss_base_group ou=Group,dc=<mydomain>,dc=com?one
nss_base_hosts ou=Hosts,dc=<mydomain>,dc=com?one
Here is my /etc/pam.d/passwd
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_pwdb.so shadow nullok
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3 minlen=4 \
dcredit=0 ucredit=0
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_pwdb.so use_authtok nullok \
md5 shadow
Here is my /etc/pam.d/sshd
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
I know it works if I change the sshd file like this:
from
account sufficient /lib/security/pam_ldap.so
to
account required /lib/security/pam_ldap.so
However, I don’t want to do that because I can’t use the users in /etc/passwd which is pretty bad.
Does anyone had this issue and was able to resolve it?
Thanks,
Martin