PAM and OpenLDAP: Login requires always existence of SSH pubkey, why?

Hello.

I use FreeBSD 7.0-BETA on servral boxes with different architectures (i386/amd64). Users within our network have to autheticate against an OpenLDAP Server via PAM. I have the annoying problem that every user getting autenticated needs a public key and the passphrase set in the ssh public key is the passphrase that authenticates the user - not the passphrase/password set in the OpenLDAP DIT for that specific user! My sshd_config looks quite common to the default sshd_conf offered with the FreeBSD sources, exept three changes:


=============
# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

=================

Setting
PasswordAuthentication no
and
ChallengeResponseAuthentication no

to force PAM doing authetication, accounting and session via LDAP results in the incapability of logging in for any user (error: pubkey/password).

In /etc/pam.d/sshd and system I have both in auth and session pam_sshd.so enabled. Without that it doesn't matter what is configured in sshd_conf, users never can login as LDAP would never check passphrase.

What is wrong? Why is PAM forcing ssh into doing authentication and accounting and session management by default although I configured PAM to do so?

Can anybody help?

Thanks in advance,
Oliver
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: PAM and OpenLDAP: Login requires always existence of SSH pubkey, why?
    ... Users within our network have to autheticate against an OpenLDAP Server via PAM. ... # Kerberos options ... # Set this to 'no' to disable PAM authentication, account processing, ... # and session processing. ...
    (freebsd-questions)
  • ssh.com and pam
    ... If anyone has configured SSH.com to use LDAP via PAM, ... account information from our LDAP server. ... PAM authentication, which always fails. ...
    (comp.security.ssh)
  • ssh.com and pam
    ... If anyone has configured SSH.com to use LDAP via PAM, ... account information from our LDAP server. ... PAM authentication, which always fails. ...
    (alt.os.linux.suse)
  • ssh.com and pam
    ... If anyone has configured SSH.com to use LDAP via PAM, ... account information from our LDAP server. ... PAM authentication, which always fails. ...
    (alt.os.linux)
  • proftpd vs PAM authentication
    ... I am relatively new to FreeBSD and have what I hope is a simple question regarding proftpd and PAM authentication. ... I have just installed proftpd via the available port, and after installation a message was returned saying: ...
    (freebsd-questions)