Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: AllowGroups and ldap

from [Tay, Gary] Network Security [Permanent Link]
Subject: RE: AllowGroups and ldap
Date: Fri, 4 Feb 2005 10:26:00 +0800 
Lars,
 
I assume your OpenSSH Server is compiled or packaged with "--with-pam". You may 
check it via "ldd /path/to/sshd" (this is usually the norm for packaged RPMs)
 
You HAVE to (and you HAVEN'T) use "UsePAM yes" for SSH Server at LDAP Client 
end, i.e. use PAM (Pluggable Authentication Module) to activate LDAP uid lookup 
via PAM_LDAP (/etc/ldap.conf and /etc/pam.d/sshd or /etc/pam.d/system-auth) and 
NSS_LDAP (/etc/nsswitch.conf). This is the norm unless Suse is different from 
other Linux distros and does not do this.
 
The /etc/nsswitch.conf at LDAP Server end should not reference "ldap" again, 
this is looping (LDAP Server looks up LDAP accts?!)
 
Since you use uniqueMember as group membership attributes (the other option is 
memberUid),  there should be groups data in LDAP in this format using  
"groupOfUniqueNames" objectclass.
 
dn: cn=testgrp1,ou=group,dc=platts,dc=mhm,dc=mhc
objectClass: top
objectClass: groupOfUniqueNames
cn: testgrp1
description: Test Group1
uniqueMember: uid=testusr1,ou=People,dc=example,dc=com
uniqueMember: uid=testusr2,ou=People,dc=example,dc=com

Rgds
Gary 

        -----Original Message----- 
        From: Lars Weste [mailto:lweste@gmx.de] 
        Sent: Thu 2/3/2005 11:56 PM 
        To: Tay, Gary 
        Cc: secureshell@securityfocus.com 
        Subject: RE: AllowGroups and ldap
        
        

        Hi Gary,    
            
        thanks for your answer, and sorry if i faild to describe the situation  
 
        satisfactory.   
          
        i have two suse9.1 connected as clients to the ldap server.  
          
        i can successfull ssh from one client to the other.  
        my username, primary and supplementary group are out of the ldap 
server.  
        nothing of my identity is stored locally despite my ssh key. so i can 
log  
        in with admin as my supplementary group.  
          
        id  
        uid=1010(lars) gid=1006(weird) groups=1006(weird),1011(admin)  
          
        the following are the configuration files at both suse 9.1:  
        suse9.1 sshd_config:==========================================  
        Port 22  
        Protocol 2  
        PermitRootLogin no  
        StrictModes yes  
        RhostsRSAAuthentication no  
        HostbasedAuthentication no  
        IgnoreRhosts yes  
        PasswordAuthentication no  
        ChallengeResponseAuthentication no  
        UsePAM no  
        X11Forwarding yes  
        Subsystem       sftp    /usr/lib/ssh/sftp-server  
        AllowGroups    admin  
          
        suse9.1 ldap.conf:===================================  
        host    server.intern  
        base    dc=intern  
        ldap_version    3  
        pam_password    md5  
        nss_map_attribute uniqueMember member  
        ssl     start_tls  
        nss_map_attribute       uniqueMember member  
        pam_filter      objectclass=posixAccount  
        nss_base_passwd dc=intern  
        nss_base_shadow dc=intern  
        nss_base_group  dc=intern  
          
        suse9.1 nsswitch.conf:=============================  
        passwd: compat  
        group:  compat  
        hosts:  files dns  
        networks:       files dns  
        services:       files  
        protocols:      files  
        rpc:    files  
        ethers: files  
        netmasks:       files  
        netgroup:       files  
        publickey:      files  
        bootparams:     files  
        automount:      files nis  
        aliases:        files  
        passwd_compat:  ldap  
        group_compat:   ldap  
          
        ===================================================  
        ===================================================  
        ldap server sshd_config:===========================  
        Port 22  
        Protocol 2  
        PermitRootLogin no  
        StrictModes yes  
        RhostsRSAAuthentication no  
        HostbasedAuthentication no  
        IgnoreRhosts yes  
        PasswordAuthentication no  
        ChallengeResponseAuthentication no  
        UsePAM no  
        X11Forwarding yes  
        Subsystem       sftp    /usr/lib/ssh/sftp-server  
        AllowGroups     admin 
         
        ldap servers ldap.conf:================================
        host    server.intern
        base    dc=intern
        ldap_version    3
        pam_password    md5
        nss_map_attribute uniqueMember member
        ssl     start_tls
        nss_map_attribute       uniqueMember member
        pam_filter      objectclass=posixAccount
        nss_base_passwd dc=intern
        nss_base_shadow dc=intern
        nss_base_group  dc=intern
        
        ldap servers nsswitch.conf:=========================
        passwd: compat
        group:  compat
        hosts:  files dns
        networks:       files dns
        services:       files
        protocols:      files
        rpc:    files
        ethers: files
        netmasks:       files
        netgroup:       files
        publickey:      files
        bootparams:     files
        automount:      files nis
        aliases:        files
        passwd_compat:  ldap
        group_compat:   ldap
        
        
        so i can successfully log into the ldap server with this config if i
        change the admin group to my primary group and the weird group as the
        supplementary one. but in the situation which i want, the admin group 
as a
        supplementary group, it dosn't let me in.
        
        as both configurations are nearly the same so i'm wondering what could 
be
        the problem?
        
        as you suggested, i changed the ip and the localhost in the ldap.conf
        files to server.intern, but without any change. if i remove the ldap
        compat lines at the servers nsswitch.conf file, i won't be able to log 
in
        with an ldap account i think?
        so it seems that there are any other parts of the system causing the
        problem.
        
        thanks for your patience. hopefully it is now clearer why i'm totally
        clueless at this point.(:  any suggestions?
        
        regards
        lars
          
          
          
        
        --
        Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
        GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Problem compiling openssh 3.9p1 on HP-UX 10.20, peter . kielbasiewicz
Next by Date:  Using existing keys, Antony Gelberg
Previous by Thread:  RE: AllowGroups and ldap, Tay, Gary
Next by Thread:  sftp virtual users question, Lukasz Chruszczyk
Indexes:  [Date] [Thread] [Top] [All Lists]