2

I have working pam_ldap authentication using libpam_ldapd. I'm using slapo-nssov and want to use loginStatus attribute which is added to users ldap entry after opening pam session and deleted when its closed. It works only with ssh password authentication. I think that there's something skipped in pam when I use public-key instead of password - There is no pam_ldap(sshd:auth) nslcd authentication; user=user record in the auth.log and nssov doesn't have information about user and his DN for update the session. That's probably the reason why loginStatus attribute isn't added for users ldap entry. Is there any chance to force pam to do sshd:auth when the public-key authentication is used?

Successful ssh connection by user password:

Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): nslcd authentication; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): authentication succeeded
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): authorization succeeded
Apr  8 10:41:57 host sshd[14511]: Accepted password for jindraj from 10.255.0.5 port 60889 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr  8 10:41:57 host sshd[14511]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:57 host sshd[14511]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): session open succeeded; session_id=1428482517
Apr  8 10:41:57 host login[14524]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:account): authorization succeeded
Apr  8 10:41:57 host login[14524]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer

slapd.log grepped for nssov_pam when logged in to ssh using password:

Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_authc(jindraj)
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_authz(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_authz()
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()

Successfull ssh connection by users public-key

Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): authorization succeeded
Apr  8 10:41:32 host sshd[14389]: Accepted publickey for jindraj from 10.255.0.5 port 60888 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:32 host sshd[14389]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): SELinux is not enabled
Apr  8 10:41:32 host login[14420]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:account): authorization succeeded
Apr  8 10:41:32 host login[14420]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer

slapd.log grepped for nssov_pam when logged in to ssh using publickey:

Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()

Here's my auth-client-config profile. It should give you insight how does my nsswitch and pam configuration look like:

[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files
nss_netgroup=netgroup: nis
nss_hosts=hosts: files cache dns
nss_services=services: files ldap
nss_sudoers=sudoers: files ldap
pam_auth=auth   required    pam_env.so
         auth   sufficient  pam_unix.so likeauth nullok
         auth   sufficient  pam_ldap.so minimum_uid=10000 use_first_pass debug
         auth   required    pam_deny.so
pam_account=account sufficient  pam_unix.so
            account sufficient  pam_ldap.so minimum_uid=10000 debug
            account required    pam_deny.so
pam_password=password   sufficient  pam_unix.so nullok md5 shadow use_authtok
             password   sufficient  pam_ldap.so minimum_uid=10000 try_first_pass debug
             password   required    pam_deny.so
pam_session=session required    pam_limits.so
            session required    pam_unix.so
            session sufficient  pam_ldap.so use_authtok debug
            session required    pam_mkhomedir.so skel=/etc/skel umask=0022

My environment:

  • Ubuntu 14.04 LTS
  • OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
  • libpam_ldapd 0.8.13-3
  • libnss_ldapd 0.8.13-3
  • openldap 2.4.31 with nssov
Jakub Jindra
  • 1,392
  • 1
  • 12
  • 25
  • `sshd` will *not* call PAM auth when public key authentication is used, nor should it. `sshd` *will* call PAM session management, and that's where the kind of session management you are talking about should really be happening. I don't know why it isn't in your case. You do have `pam_ldap.so` listed as a session management module. Maybe `pam_ldap` doesn't conform properly to the PAM model with its separation of auth and session phases? The one thing I do see right away is that The `sufficient` config after `session` seems wrong. A priori, seems like it should be `required`. – Celada Apr 08 '15 at 12:49
  • It's a pitty that sshd doesn't call PAM auth when public key authentication is used. So the issue will be probably hidden inside libpam_ldapd. Newer version of libpam_ldapd uses newer protocol and isn't compatible with openldap's (2.4.31) nssov. The sufficient config at session section of pam is OK, there are even optional in some how-to or documentation. – Jakub Jindra Apr 08 '15 at 15:16

0 Answers0