Bug 158481 - Authentication failure in ssh when using pam_ldap
Authentication failure in ssh when using pam_ldap
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-05-22 16:26 EDT by OuTian
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-03 04:25:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description OuTian 2005-05-22 16:26:13 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2

Description of problem:
When using pam_ldap to obtain account/group from LDAP server ,
It works in RHEL3 , but have some problems in RHEL 4.

After config by "authconfig" , the server could be login by accounts in LDAP server from console and telnet-server , but not work from ssh.

But after downgrade the openssh to the same versoin as RHEL3 used , everything works fine.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. set up pam_ldap and nss_ldap
2. make sure the server can obtain account by "getent passwd"

Actual Results:  login from console and telnet are ok ,
but ssh not work , always show "password incorrect".

Expected Results:  The server must be login by accounts in LDAP server from console/telnet/ssh .

Additional info:
Comment 1 Tomas Mraz 2005-05-23 02:57:19 EDT
This must be some configuration problem. Could you please attach snippets from
the /var/log/messages and /var/log/secure when you're trying to connect to the sshd?
Comment 2 OuTian 2005-05-23 11:08:47 EDT
Without any message in /var/log/messages ,
but only in /var/log/secure when I trying to ssh to the server , like this :

May 24 01:14:48 OuTian-VM-AS4 sshd[2085]: Failed password for outian from
::ffff: port 2878 ssh2

But when I enable telnetd , It works with the same username/password from telnet.

When I remove the openssh in RHEL 4 ,
and install previous version in RHEL3 ( of course , with some library ) ,
it works fine !

So I think it's the problem of openssh in RHEL 4 ?
Comment 3 Tomas Mraz 2005-05-23 11:48:21 EDT
Could you please attach your /etc/pam.d/system-auth and /etc/pam.d/sshd here?
Comment 4 OuTian 2005-05-23 12:06:32 EDT
After configure by "authconfig" ,

/etc/pam.d/system-auth :

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

/etc/pam.d/sshd :

auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
Comment 5 Tomas Mraz 2005-05-23 12:43:59 EDT
Could you please use the Issue Tracker to request solving the problem through
the support?
Comment 6 Tomas Mraz 2005-08-03 04:25:57 EDT
Not enough information from reporter.
I suppose there are some problems with account information stored in the ldap
Comment 7 OuTian 2005-08-03 05:23:35 EDT
(In reply to comment #6)
> Not enough information from reporter.
> I suppose there are some problems with account information stored in the ldap
> server.

No , I don't think so .

Because when I using RHEL 4 Update 1 , the problem was solved .

anyway , still thank for you .

Note You need to log in before you can comment on or make changes to this bug.