OpenSSH and Solaris PAM

alexei_at_soemail.rutgers.edu
Date: 09/29/03

  • Next message: George Papadimitriou: "boot-up failure" 
    Date: Mon, 29 Sep 2003 17:45:31 -0400 (EDT)
To: sunmanagers@sunmanagers.org

    Greetings,

    I wonder if anyone has succeeded with making OpenSSH 3.7.1p2 to work
    properly with Solaris 9 PAM libs?

    After I compiled and configured the OpenSSH 3.7.1p2 with PAM support
    on Solaris 9, I encounter a problem with having it to work with Solaris PAM.
    The PAM libs that used to work fine with Sun SSH no longer work with the
    OpenSSH.

    For example, I use an additional authentication PAM module to check for
    entries in /etc/shadow in order to disallow NIS users to login to a NIS
    server. It works fine with Sun SSH but the OpenSSH completely ignores it.
     
    On the other host, which is an OpenLDAP client, the OpenSSH doesn't seem
    to work with Sun's pam_ldap.so.1. LDAP users can't login via ssh.
    However, Sun SSH with the same pam.conf configuration works perfectly:
    sshd auth sufficient pam_ldap.so.1
    sshd auth required pam_unix_auth.so.1
    sshd account sufficient pam_ldap.so.1
    sshd account required pam_unix_auth.so.1
    sshd password sufficient pam_ldap.so.1
    sshd password required pam_unix_auth.so.1
     
    In nsswitch.conf, I have
    passwd: files ldap
    group: files ldap

    The OpenSSH has been configured with PAM support:
    ./configure --use-pam ...

    When I ldd on /usr/local/sbin/sshd, among the links, it shows
    libpam.so.1 => /usr/lib/libpam.so.1

    In sshd_config, I got "UsePAM yes".

    Is there anything I am missing?
    Do I need to compile and install special PAM modules for OpenSSH?

    It looks like the sshd completely ignores whatever is in /etc/pam.conf.
    Any suggestion or advice would be appreciated.
    Thanks,
    Alexei
    _______________________________________________
    sunmanagers mailing list
    sunmanagers@sunmanagers.org
    http://www.sunmanagers.org/mailman/listinfo/sunmanagers

  • Next message: George Papadimitriou: "boot-up failure"

    Relevant Pages

    • Re: Openssh, kerberos and Solaris 10
      ... if the problem is the Solaris 10 sshd is not saving ... other is used by pam :-( The man pages are not consistent ... rather live with this then to have to build OpenSSH and MIT Kerberos ... Solaris 10's sshd uses PAM, ...
      (comp.protocols.kerberos)
    • Re: X11 tunnelling issue andlogin security question
      ... example of the configuration od sshd and PAM? ... to further challange a login request after the correct password has been ...
      (comp.security.ssh)
    • Re: OpenSSH and hostname resolution issues on Solaris
      ... > Is it a feature or a configuration error with OpenSSH when ... > Worst case the machine never gets past starting sshd during ... > The OpenSSH in question is anything from ~2.9 to 3.5p1, ... PARANOID in hosts.deny but we haven't used the ...
      (comp.security.ssh)
    • Re: PATH of remote host
      ... ssh remote 'echo $PATH' ... configuration of sshd and pam, what shell is used, and whether ...
      (comp.unix.shell)
    • FreeBSD Security Advisory FreeBSD-SA-06:09.openssh
      ... For general information regarding FreeBSD Security Advisories, ... Privilege separation is a mechanism used by OpenSSH to protect itself ... OpenSSH to fork a child process to handle calls to the PAM framework. ... The following command will show a list of orphaned PAM processes: ...
      (Bugtraq)