I assume you have used SUN ONE Console to define "password policy", and
applied the latest Solaris9 Patch Cluster.
This is an example from SUN forums that is said to be working. It it
still does not work for you, u may post your issue there:
/etc/pam.conf
# PAM configuration
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
# In order for the line below to give the password aging messages you
MUST NOT have
# the users passwords stored in crypt on the directory server or the
proxy user must
# not be able to read the userpassword attribute. Any other encryption
# method will work.
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth required pam_dial_auth.so.1
sshd auth binding pam_unix_auth.so.1 server_policy
sshd auth required pam_ldap.so.1
-----Original Message-----
From: Victor Engle [mailto:vic@summerseas.com]
Sent: Monday, January 31, 2005 9:46 PM
To: Tay, Gary
Cc: SSH list
Subject: Re: PAM auth and account with openssh
Setting "PasswordAuthentication no" didn't correct the problem. Through
trial and error I did manage to learn that if I remove the server_policy
from this line in the pam stack for sshd then the login works with both
public key and password but fails to give me the "password will expire"
warning.
sshd account required pam_unix_account.so.1
server_policy
When the sshd line above has the server_policy parameter at the end the
warning works as expected but public key logins fail. Also when the
public key login fails I am prompted for a password and that also fails.
The problem became apparent when I began trying to get password
expiration and account lockout from our ldap server working. We needed
to get this to work to satisfy our auditors.
Thanks,
Vic
Tay, Gary wrote:
Could you try:
#PasswordAuthentication yes
PasswordAuthentication no
Gary
-----Original Message-----
From: Victor Engle [mailto:vic@summerseas.com]
Sent: Saturday, January 29, 2005 4:22 AM
To: Tay, Gary; SSH list
Subject: Re: PAM auth and account with openssh
Tay, Gary wrote:
If you think there is issue in SSH, you should also post sshd_config
and ssh_config to the mail list. Look at messages and /var/log/auth.log
for extra info also.
Here are the config files...
sshd_config
# This is the sshd server system-wide configuration file. See #
sshd_config(5) for more information.
# This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where #
possible, but leave them commented. Uncommented options change a #
default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h #ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in
/usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing, #
and session processing. If this is enabled, PAM authentication will #
be allowed through the ChallengeResponseAuthentication mechanism. #
Depending on your PAM configuration, this may bypass the setting of #
PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin
without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this
but
set
# ChallengeResponseAuthentication=no
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/local/libexec/sftp-server
ssh_config
# This is the ssh client system-wide configuration file. See #
ssh_config(5) for more information. This file provides defaults for #
users, and the values can be changed in per-user configuration files #
or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set. #
Thus, host-specific definitions should be at the beginning of the #
configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
c
bc
# EscapeChar ~
-----Original Message-----
From: Victor Engle [mailto:vic@summerseas.com]
Sent: Fri 1/28/2005 9:27 PM
To: SSH list
Cc:
Subject: PAM auth and account with openssh
Hi,
I have a Sun LDAP server version 5.2 that I am using as a
solaris naming
service. Everything is working as expected except for a problem
with
sshd and pam. With the following entries in pam.conf everything
works
well except that password expiration from the ldap server is
ignored.
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1 try_first_pass
sshd account required pam_unix_account.so.1
If I use the following entries in pam.conf everything works
including
password expiration unless I use a public key for
authentication. If I
have a public key in place I am unable to log in. I get prompted
for a
password and that fails. If I remove the public key I am
prompted for a
password and get successfully authenticated.
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1 try_first_pass
sshd account sufficient pam_ldap.so.1
sshd account binding pam_unix_account.so.1
server_policy
Here is the ssh client debug output from trying to login with
the public
key and the above pam.conf entries.
[vengle@datamart-->]ssh -v sniper
OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to sniper [66.43.143.232] port 22.
debug1: Connection established.
debug1: identity file /home/vengle/.ssh/identity type -1
debug1: identity file /home/vengle/.ssh/id_rsa type 1
debug1: identity file /home/vengle/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sniper' is known and matches the RSA host key.
debug1: Found key in /home/vengle/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/vengle/.ssh/identity
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Offering public key: /home/vengle/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Trying private key: /home/vengle/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
The server accepts the key but continues to try to authenticate
me. Any
help or direction would be greatly appreciated.
Thanks,
Vic Engle
