ssh.com and pam - SSH

This is a discussion on ssh.com and pam - SSH ; The short story is that we cannot seem to configure a Linux host using ssh.com's version of ssh to use LDAP for PAM authentication. We are successful using OpenSSH. If anyone has configured SSH.com to use LDAP via PAM, we ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: ssh.com and pam

  1. ssh.com and pam


    The short story is that we cannot seem to configure a Linux host using
    ssh.com's version of ssh to use LDAP for PAM authentication. We are
    successful using OpenSSH.

    If anyone has configured SSH.com to use LDAP via PAM, we would
    appreciate your contacting us.


    The longer version of the problem is:

    Problem configuring ssh.com 3.2.9.1 with PAM on SuSE.

    We are trying to begin using OpenLDAP for our accounts and to that end
    we have created an LDAP server and populated it with some account
    information.

    On a standard SuSE 9.3 installation, we configured it to get its
    account information from our LDAP server. This configuration was done
    via the YaST2 tool and was as standard as we could make it.

    The OpenSSH server that comes with the distribution does successfully
    authenticate users from the LDAP server.

    For historical reasons, we have been using the last free version of
    ssh from ssh.com: version 3.2.9.1.

    We have recompiled ssh.com on this system, making sure that the PAM
    libraries are enabled. We then copied the /etc/pam.d/sshd file to
    /etc/pam.d/sshd2.

    Here are the contents (with all the includes resolved):

    auth required pam_env.so
    auth required pam_unix2.so
    auth required pam_nologin.so
    account required pam_unix2.so
    password required pam_pwcheck.so nullok
    password required pam_unix2.so nullok use_first_pass
    use_authtok
    session required pam_limits.so
    session required pam_unix2.so

    We configured the ssh.com sshd2 to use keyboard-interactive with the
    following options:

    AuthKbdInt.NumOptional 0
    AuthKbdInt.Optional pam,password
    AuthKbdInt.Required PAM
    AuthKbdInt.Retries 1

    Forcing a connection to use keyboard-interactive, we get prompted for
    PAM authentication, which always fails.

    Looking at the debug info for the daemon we see the following before
    the PAM authentication prompt occurs:

    SshUnixUser/sshunixuser.c:408/ssh_login_permitted:
    Can't find "user"'s shadow - access denied.

    At this point we have not seen any connection to the LDAP server.

    A few lines later we see:

    auth-kbd-int: User 'user' does not exist, faking real transaction.

    This corresponds well to the PAM authentication prompt. There are
    connections to the LDAP server at this time and it really appears to
    be doing authentication, but the login is still refused.

    We have also tried following the specific instructions at ssh.com for
    configuring this version to work with PAM. Those instructions use the
    pam_unix.so module with some options. In particular:

    auth required pam_unix.so shadow nullok

    Unfortunately, /lib/security/pam_unix.so is identical to
    /lib/security/pam_unix2.so, and doesn't support the "shadow" option.

    It appears to us as if the ssh.com sshd2 can use PAM, but that it is
    choosing not to during the early part of the authentication, when it
    is looking for the user's shadow information.

    Any suggestions on further things to try would be most welcome. We are
    neither a PAM nor an LDAP experts, though we have been cramming. We
    have
    certainly tried more thing than documented here, but this is already
    too long.
    --

    Thanks in advance for any help.


  2. Re: ssh.com and pam

    maillyst@cs.com wrote:
    > The short story is that we cannot seem to configure a Linux host using
    > ssh.com's version of ssh to use LDAP for PAM authentication. We are
    > successful using OpenSSH.
    >
    > If anyone has configured SSH.com to use LDAP via PAM, we would
    > appreciate your contacting us.



    > Any suggestions on further things to try would be most welcome. We
    > are neither a PAM nor an LDAP experts, though we have been cramming.
    > We have
    > certainly tried more thing than documented here, but this is already
    > too long.


    My suggestion is to switch to OpenSSH, or pay money to ssh.com for their
    commercial version. What possible reason do you have for wasting your
    valuable time with a discarded release when better, supported ones are
    available as freeware or as commercial versions?



  3. Re: ssh.com and pam

    Nico Kadel-Garcia wrote:
    > maillyst@cs.com wrote:
    >> The short story is that we cannot seem to configure a Linux host
    >> using ssh.com's version of ssh to use LDAP for PAM authentication. We are
    >> successful using OpenSSH.
    >>
    >> If anyone has configured SSH.com to use LDAP via PAM, we would
    >> appreciate your contacting us.

    >
    >
    >> Any suggestions on further things to try would be most welcome. We
    >> are neither a PAM nor an LDAP experts, though we have been cramming.
    >> We have
    >> certainly tried more thing than documented here, but this is already
    >> too long.

    >
    > My suggestion is to switch to OpenSSH, or pay money to ssh.com for
    > their commercial version. What possible reason do you have for
    > wasting your valuable time with a discarded release when better,
    > supported ones are available as freeware or as commercial versions?


    Hmm. That came out sounding snippy, and I'll apologize for that. But
    seriously, why are you pursuing ssh.com's no longer supported open source
    code?



+ Reply to Thread