Hi,
i can successfully log in from one suse 9.1 to another suse 9.1, both
connected to the same ldap server.
this is the remote suse 9.1 sshd_config:
================================================
Port 22
Protocol 2
PermitRootLogin no
StrictModes yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AllowGroups admin
===============================================
this is the remote suse 9.1 ldap.conf file:
===============================================
host 10.10.10.10
base dc=intern
ldap_version 3
pam_password md5
nss_map_attribute uniqueMember member
ssl start_tls
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
nss_base_passwd dc=intern
nss_base_shadow dc=intern
nss_base_group dc=intern
=============================================
this is the remote suse 9.1 nsswitch.conf file:
=============================================
passwd: compat
group: compat
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
passwd_compat: ldap
group_compat: ldap
=========================================================
and the following file is the suse9.1 /etc/pam.d/sshd,
but i think this file shouldn't be used because i configured
UsePAM=no in sshd_config
=========================================================
#%PAM-1.0
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none # trace or debug
session required pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session optional pam_resmgr.so fake_ttyname
===============================================================
with this configuration i can log in without any problem, the sshd checks
that i am a member of the admin group which is only available through
ldap.
=========================================================
=========================================================
the following is the sles9 sshd_config file: despite the
AllowGroups directive the same like at the suse 9.1
=========================================================
Port 22
Protocol 2
PermitRootLogin no
StrictModes yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AllowGroups backup admin wheel
====================================================
the following file is the sles9 ldap.conf, the same despite the host
directive:
====================================================
host localhost
base dc=intern
ldap_version 3
pam_password md5
nss_map_attribute uniqueMember member
ssl start_tls
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
nss_base_passwd dc=intern
nss_base_shadow dc=intern
nss_base_group dc=intern
===================================================
The sles9 nsswitch.conf file is exactly the same like the suse9.1
nsswitch.conf like above.
===================================================
id lars
uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin)
with this configuration that the admin grous is a supplementary group
i can log in to the suse9.1 but not to the sles9.
i changed the groups which i belong to the following:
id lars
uid=1010(lars) gid=1011(admin) groups=1011(admin),1006(weird)
this enables me to log in to both systems. but having the admin group as a
primary group is not an option.
so if anybody has a hint to maybe what my problem is, please tell me
because i'm a bit clueless here. or maybe there are other configuration
files involved which i didn't considered?
kind regards
lars
===================================================
IIRC, OpenSSH uses PAM and then PAM uses PAM_LDAP/NSS_LDAP to retrieve
LDAP id/pw info. So you have to configure PAM "UsePAM yes",
/etc/pam.conf (load pam_ldap.so.1) and /etc/ldap.conf (nss_ldap's
config) files.
It will be interesting to see even after the above have been done, that
the "AllowGroups" directive works for LDAP based, instead of just
/etc/passwd files based login ids. "man sshd_config" does not say the
group info could be read from LDAP.
Let us know what you could come out with.
Gary
-----Original Message-----
From: Lars Weste [mailto:lweste@gmx.de]
Sent: Monday, January 31, 2005 4:52 PM
To: secureshell@securityfocus.com
Subject: AllowGroups and ldap
hi list,
i encountered a problem while trying to use the AllowGroup feature of
openssh to restrict the access to only some groups.
i'm using SuSEs ssh version OpenSSH_3.8p1, OpenSSL 0.9.7d 17 Mar 2004 at
the server and client side. The account information of the user i want
to
log in is stored within openldap.
$ id
uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin).
i only want to allow members of the admin group to log in. the group
information about the admin and the weird groups are also stored in the
ldap database. if i configure AllowGroups weird, which is the primary
group of the user i can log in. if i replace weird with admin the login
will be rejected.
=============
User lars not allowed because none of user's groups are listed in
AllowGroups
input_userauth_request: illegal user lars
=============
i added the user to the local group wheel, added the wheel group to the
AllowGroups statement and restarted the sshd. with a local supplementary
group i could successfully log in. so is there a way to use the
supplementary groups of the user provided by the ldap daemon?
--
GMX im TV ... Die Gedanken sind frei ... Schon gesehen?
Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot
