Hello, I have the following problem: I have installed openssh-1.2.2 on FreeBSD 3.4-RELEASE. I intentionally did not took the FreeBSD port because it does not support PAM. My aim is to make sshd authenticate against a TACACS+ server using the pam_tacplus.so module shipped with FreeBSD. That works perfectly with this line in my /etc/pam.conf: login auth sufficient pam_tacplus.so Accordingly, I set up pam.conf like this to make sshd do the same: sshd auth required pam_tacplus.so But all I get then from sshd is this: su-2.03# /usr/local/sbin/sshd -d debug: sshd version OpenSSH-1.2.2 debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 212.88.133.252 port 1021 debug: Client protocol version 1.5; client software version OpenSSH-1.2.1 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "domi" debug: Attempting authentication for domi. Failed rsa for domi from 212.88.133.252 port 1021 debug: PAM Password authentication accepted for user "domi" Accepted password for domi from 212.88.133.252 port 1021 debug: PAM setting rhost to "dominik.saargate.de" PAM rejected by account configuration: Permission denied Faking authloop for illegal user domi from 212.88.133.252 port 1021 I configured openssh with ./configure --with-tcp-wrappers --with-ipv4-default --with-md5-passwords What can I do in order to make sshd work correctly? -- Dominik - http://www.saargate.de/~domi/
On Wed, 2 Feb 2000, Dominik Brettnacher wrote:> Hello, > > I have the following problem: I have installed openssh-1.2.2 on FreeBSD > 3.4-RELEASE. I intentionally did not took the FreeBSD port because it does > not support PAM. My aim is to make sshd authenticate against a TACACS+ > server using the pam_tacplus.so module shipped with FreeBSD. That works > perfectly with this line in my /etc/pam.conf: > > login auth sufficient pam_tacplus.so > > > Accordingly, I set up pam.conf like this to make sshd do the same: > > sshd auth required pam_tacplus.soIs this you full PAM file for sshd? It looks like there are account and session entries missing.> PAM rejected by account configuration: Permission deniedWhat 'account' entries do you have for sshd? If there are none it may be defaulting to deny. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
On Thu, 3 Feb 2000, djm at mindrot.org wrote:> >> PAM rejected by account configuration: Permission denied > What 'account' entries do you have for sshd? If there are none it > may be defaulting to deny.You were right, I did not set up any. Now my pam.conf looks like this: sshd auth required pam_tacplus.so sshd account required pam_unix.so try_first_pass sshd password required pam_unix.so try_first_pass sshd session required pam_unix.so try_first_pass When I use "pam_permit.so" as the session module, I can login successfully, but when trying pam_unix.so, I get these errors: Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_chauthtok Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_open_session Feb 3 07:05:01 sshd[17265]: unable to resolve symbol: pam_sm_close_session I already linked libcrypt.so to sshd because I got error messages without. But what is missing here? -- Dominik - http://www.saargate.de/~domi/