Kumaresh
2004-Apr-02 11:43 UTC
PAM_LDAP fails with 3.7.1p2 when Shadow password installed on HP-UX 11.11
Hello All, We have been successfully using PAM_LDAP authentication with OpenSSH-3.6 on our HP-UX 11.11. When OpenSSH-3.7.1p2 is installed [with Darrens' password expiry patch 26], and when Shadow password bundle is installed on the system, our ssh authentication failed. Even, when the source is compiled without Darren's patch, the same bahaviour is seen and there is no success. When Shadow password is uninstalled, LDAP auth works. The error in sshd side we are getting is "PAM: No account present for user" [please refer attached debug file] I have installed OpenSSH-3.8 without any password expiry patch and that also works with PAM_LDAP with Shadow passwords. I am wondering why 3.7.1p2 alone do not work when 3.6, and 3.8 works. Both 3.7 and 3.8 have the following macros in config.h #undef DISABLE_SHADOW #define HAS_SHADOW_EXPIRE 1 #define HAVE_SHADOW_H 1 #define HAVE_SECURITY_PAM_APPL_H 1 #define USE_PAM 1 #define PAM_SUN_CODEBASE 1 #define HAVE_LIBPAM 1 /* #undef PAM_TTY_KLUDGE */ /* #undef HAVE_OLD_PAM */ /* #undef HAVE_PAM_GETENVLIST */ /* #undef HAVE_PAM_PUTENV */ Some more info on the PAM_LDAP library used on the system. When Shadow password bundle is installed on the system, shadow file enable and disable command is installed on "/usr/sbin/pwunconv" and "/usr/sbin/pwconv". PAM_LDAP library checks this and particularly when "/usr/sbin/pwunconv" is removed, LDAP auth works. Is there any chance that the problem is in checking the return status of the PAM APIs in 3.7.1p2? I have attached the "sshd -ddd" file with this mail. Advance thanks, Kumaresh. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004
Darren Tucker
2004-Apr-02 13:33 UTC
PAM_LDAP fails with 3.7.1p2 when Shadow password installed on HP-UX 11.11
Kumaresh wrote:> We have been successfully using PAM_LDAP authentication with OpenSSH-3.6 on > our HP-UX 11.11. When OpenSSH-3.7.1p2 is installed [with Darrens' password > expiry patch 26], and when Shadow password bundle is installed on the > system, our ssh authentication failed. Even, when the source is compiled > without Darren's patch, the same bahaviour is seen and there is no success. > > When Shadow password is uninstalled, LDAP auth works.3.6x had some HP-UX specific code for the Trusted Mode case (using getprpwnam), and didn't use the shadow calls (getspnam). 3.7.1p2 uses the shadow calls on HPUX, but has a bug for the Trusted Mode case, which was fixed for 3.8p1. Maybe the shadow password bundle + LDAP has the same problem with 3.7x as Trusted Mode did?> The error in sshd side we are getting is > "PAM: No account present for user" [please refer attached debug file]The debug file is missing (filtered?) This looks like an error returned by PAM, though, not sure why.> I have installed OpenSSH-3.8 without any password expiry patch and that also > works with PAM_LDAP with Shadow passwords. > I am wondering why 3.7.1p2 alone do not work when 3.6, and 3.8 works. > Both 3.7 and 3.8 have the following macros in config.h[...]> Is there any chance that the problem is in checking the return status of the > PAM APIs in 3.7.1p2?There were a few minor improvements to PAM, it's possible one of those makes a difference. (PAM is something of a black box, sometimes little things make a difference for no apparent reason). If 3.8p1 works properly, I wouldn't put too much effort into tracking down the exact cause, though... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.