Re: SSH and LDAP
From: Erik C.J. Laan (news_at_elaan.dds.nl)
Date: 06/02/04
- Previous message: C C: "Re: vmstat help - cpu upgrade or more memory?"
- In reply to: Steve Bassler: "SSH and LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 02 Jun 2004 22:26:11 +0200
Steve Bassler wrote:
> We are installing an LDAP server for AIX and Solaris login
> authentication. (FWIW, the LDAP server is IBM's Directory Server,
> v5.1.) On Solaris, we have no trouble authenticating with either
> telnet or SSH. On an AIX 5.2.02 client, using the LDAP client bundled
> with Directory server, we've run into a problem. Telnet gets through,
> but SSH is refused.
>
> Running PuTTY with Pagaent on a Windows workstation, user <xxxx> gets
> prompted for his password (twice) and finally receives the following
> error:
> Server sent disconnect message
> type 2 (SSH_DISCONNECT_PROTOCOL_ERROR):
> "Too many authentication failures for <xxxx>"
>
> Attempting to login from another AIX server with "ssh -vvv <hostname>"
> and ForwardAgent set to yes, we get (extracting what looks like the
> relevant text):
> debug1: Found key in /home/<xxxx>/.ssh/known_hosts:1
> debug2: bits set: 1611/3191
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/<xxxx>/.ssh/id_rsa (20034b98)
> debug2: key: /home/<xxxx>/.ssh/identity (0)
> debug2: key: /home/<xxxx>/.ssh/id_dsa (0)
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/<xxxx>/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Trying private key: /home/<xxxx>/.ssh/identity
> debug3: no such identity: /home/<xxxx>/.ssh/identity
> debug1: Trying private key: /home/<xxxx>/.ssh/id_dsa
> debug3: no such identity: /home/<xxxx>/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
>
> In the syslog, we get the following series of messages:
> Jun 2 13:47:46 <hostname> sshd[15984]: Password can't be changed for
> user <xxxx>: 3004-619 Security method "LDAP" could not be loaded.
> Jun 2 13:47:46 <hostname> sshd[9120]: Illegal user <xxxx> from
> <nn.nn.nn.nn>
> Jun 2 13:47:46 <hostname> syslog: ssh: failed login attempt for
> UNKNOWN_USER from <hostname>
> Jun 2 13:47:46 <hostname> sshd[9120]: Failed none for illegal user
> <xxxx> from <nn.nn.nn.nn> port 4167 ssh2
> Jun 2 13:47:49 <hostname> sshd[9120]: Failed password for illegal
> user <xxxx> from <nn.nn.nn.nn> port 4167 ssh2
> Jun 2 13:47:49 <hostname> syslog: ssh: failed login attempt for
> UNKNOWN_USER from <hostname>
>
> I have no idea why it appears to be trying to change the password. I
> know it is not expired. User <xxxx> is set up with SYSTEM = "ldap or
> compat" and registry = LDAP in /etc/security/user.
>
> ssh -V returns:
> OpenSSH_3.7.1p1-pwexp24, SSH protocols 1.5/2.0, OpenSSL 0.9.6c 21 dec
> 2001
> (That's Darren Tucker's password expiration patch.)
>
> Any help would be appreciated.
>
> Thanks,
> Steve
Hi Steve,
You don't say whether you're using the rfc2307, rfc2307+aix or plain aix
schema. We've also run into problems with AIX clients, and most of them
where because SSH is more picky with the password-expiry setting that
telnet is. Please experiment with setting the
passwordmaxage/passwordminage (aix schema) or shadowMin/shadowMax
atributes (2307/2307+ schema) to zero. We've also found that the AIX 5.2
LDAP clients (2307+ schema) read the uid=default entry in the LDAP
directory too, for these atributes, but the AIX 4.3 LDAP clients
(aix-schema) don't: they need the passwordmaxage/passwordminage set to
zero in their local default stanza.
HTH, Erik.
-- --------------------------------------------------------------------------- Erik C.J. Laan elaan at dds.nl Please reply below the message, please cut unrelevant pieces from a reply. ---------------------------------------------------------------------------
- Previous message: C C: "Re: vmstat help - cpu upgrade or more memory?"
- In reply to: Steve Bassler: "SSH and LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
