From: nicholas (nicholas@no-spam.co.uk)
Date: Wed Oct 22 2003 - 08:13:35 EDT
Ok, i found the problem.
Its with SSH and its new privilege seperation thingy.
You need to disable it in by adding
UsePrivilegeSeparation no
in your sshd_config file
thanks to those who helped, in particular to Himanshu
nicholas
> hi there
>
> The problem I had earlier on with id and su (or any other proggy that
uses
> passwd) not seeing the openldap served passwd db that getent could see
on
> the same machine was a bug in my ldif that had crept in. Re-wrote the
ldif
> and su and id can see everyone.
>
> But now my problem is that:
> I've given up on pam_ldap and i'm using pam_unix to authenticate. i can
telnet to the machine but could only ssh as root. all other users get
kicked off.
>
> if i change my sshd_config file to include
> UseLogin yes
> then like telnet, which invokes login as well, all works.
> I have tried compiling sshd --with-pam but that changes nothing.
>
> has anyone seen this before?
>
> here is output from sshd -d
>
> Accepted password for bob from x.x.x.x port 61887 ssh2
> debug1: permanently_set_uid: 9995/59996
> debug1: Entering interactive session for SSH2.
> debug1: server_init_dispatch_20
> debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
16384
> debug1: input_session_request
> debug1: channel 0: new [server-session]
> debug1: session_new: init
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> login_get_lastlog: Cannot find account for uid 9995
> debug1: Calling cleanup 0x31270(0x0)
> debug1: channel 0: free: server-session, nchannels 1
> debug1: Calling cleanup 0x3917c(0x0)
>
> here is the output from ssh -vv, after hitting enter after typing the
password, which clearly states a success
>
> debug1: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: ssh-userauth2 successful: method password
> debug1: channel 0: new [client-session]
> debug1: send channel open 0
> debug1: Entering interactive session.
> debug2: callback start
> debug1: ssh_session2_setup: id 0
> debug1: channel request 0: pty-req
> debug1: channel request 0: shell
> debug1: fd 4 setting TCP_NODELAY
> debug2: callback done
> debug1: channel 0: open confirm rwindow 0 rmax 32768
> debug1: channel_free: channel 0: client-session, nchannels 1
> Connection to server closed by remote host.
> Connection to server closed.
> debug1: Transferred: stdin 0, stdout 0, stderr 77 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1130.1
> debug1: Exit status -1
>
> here is my pam.conf file
>
> # PAM configuration
> #
> # Authentication management
> #
> rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/pam_ldap.so
> other auth required /usr/lib/security/$ISA/pam_unix.so shadow nullok
use_first_pass
>
> #
> # Account management
> #
> other account sufficient /usr/lib/security/pam_ldap.so
> other account required /usr/lib/security/$ISA/pam_unix.so
use_first_pass
> #
> # Session management
> #
> other session sufficient /usr/lib/security/$ISA/pam_unix.so.1
> other session optional /usr/lib/security/pam_ldap.so.1 use_first_pass
>
> #
> # Password management
> #
> other password sufficient /usr/lib/security/pam_ldap.so.1 other
password required /usr/lib/security/$ISA/pam_unix.so.1
use_first_pass
>
> also, how can i get pam_ldap to work incidently.
>
> many thanks for your time
>
> nicholas
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:20 EDT