Red Hat Bugzilla – Bug 191338
Authconfig does not set sshd_config to use PAM for LDAP lookups
Last modified: 2007-11-30 17:07:24 EST
Description of problem:
I have Red Hat ES 4 configured to use OpenLDAP for authentication of Posix
users. This is performed using the authconfig tool (using LDAP for User
Information and Authentication).
Authconfig configures nss_ldap and ldap.conf correctly - ldap users appear when
using getent passwd or similar. I can also su to a LDAP account with no
problems. However it is not possible to SSH using an LDAP account.
After some digging it appears that authconfig is not setting the parameter
UsePAM = yes
in /etc/ssh/sshd_config. This parameter is not actually commented out - adding
it manually and reloading sshd allows for LDAP based logins.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Run authconfig to configure LDAP authentication
2.Attempt to login with SSH account.
Login fails (permission denied)
Login should succeed
I'm sorry but the 'UsePAM yes' config option is specified by default in the
/etc/ssh/sshd_config file so there is no need to set it by authconfig.
In case of upgrade from an older RHEL distribution it is necessary to verify
changes in all .rpmnew/.rpmsave/.rpmorig files and propagate the changes to the
actual config files by hand. It is not possible to account for all such changes
in authconfig and simillar utilities.