[FUG-BR] Problema SSH + PAM + LDAP
Junior
s2provider em hotmail.com
Terça Setembro 23 11:18:26 BRT 2008
Senhores,
Tenho um server LDAP em produção autenticando sem problemas. Já estou usando Samba com ele normalmente.
Tentei configurar o SSH para usar a base ldap mas não obtive êxito.
Quando eu executo o comando id user, ele mostra os dados do usuário, então, penso que a integração com o LDAP está correta.
[/etc/pam.d]# id user
uid=2013(user) gid=513(Domain Users) groups=513(Domain Users)
eu setei loginShell: /bin/sh para este usuário.
No momento em que efetuo o login via ssh ele pede o "Old password". Se eu digitar a senha incorreta ele pede a senha novamente (3 vezes). Vejam:
[/etc/pam.d]# ssh -v user em servidor
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to servidor [xxx.xxx.xxx.x] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 FreeBSD-20080901
debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xxx.xxx.xxx.x' is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:8
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
Old Password:
debug1: Authentications that can continue: publickey,keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).
[/etc/pam.d]#
E não vai adiante. Isso só aparece quando digito a senha corretamente.
Config do sshd em /etc/pam.d/sshd:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Reitero que o LDAP está ok e o samba já está autenticando usuários normalmente.
Alguma dica?
Obrigado.
_________________________________________________________________
Confira vídeos com notícias do NY Times, gols direto do Lance, videocassetadas e muito mais no MSN Video!
http://video.msn.com/?mkt=pt-br
Mais detalhes sobre a lista de discussão freebsd