Red Hat Bugzilla – Bug 158481
Authentication failure in ssh when using pam_ldap
Last modified: 2007-11-30 17:07:18 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2
Description of problem:
When using pam_ldap to obtain account/group from LDAP server ,
It works in RHEL3 , but have some problems in RHEL 4.
After config by "authconfig" , the server could be login by accounts in LDAP server from console and telnet-server , but not work from ssh.
But after downgrade the openssh to the same versoin as RHEL3 used , everything works fine.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. set up pam_ldap and nss_ldap
2. make sure the server can obtain account by "getent passwd"
Actual Results: login from console and telnet are ok ,
but ssh not work , always show "password incorrect".
Expected Results: The server must be login by accounts in LDAP server from console/telnet/ssh .
This must be some configuration problem. Could you please attach snippets from
the /var/log/messages and /var/log/secure when you're trying to connect to the sshd?
Without any message in /var/log/messages ,
but only in /var/log/secure when I trying to ssh to the server , like this :
May 24 01:14:48 OuTian-VM-AS4 sshd: Failed password for outian from
::ffff:192.168.147.1 port 2878 ssh2
But when I enable telnetd , It works with the same username/password from telnet.
When I remove the openssh in RHEL 4 ,
and install previous version in RHEL3 ( of course , with some library ) ,
it works fine !
So I think it's the problem of openssh in RHEL 4 ?
Could you please attach your /etc/pam.d/system-auth and /etc/pam.d/sshd here?
After configure by "authconfig" ,
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore]
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
Could you please use the Issue Tracker to request solving the problem through
Not enough information from reporter.
I suppose there are some problems with account information stored in the ldap
(In reply to comment #6)
> Not enough information from reporter.
> I suppose there are some problems with account information stored in the ldap
No , I don't think so .
Because when I using RHEL 4 Update 1 , the problem was solved .
anyway , still thank for you .