>> But instead i get >> centos: sshd[7929]: pam_unix(sshd:session): session opened for user >> <username> > > "pam_unix" should be an indication that <username> appears in the local > unix password files. Make sure that it doesn't.Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow> > What do /etc/pam.d/sshd and /etc/pam.d/system-auth contain, currently?/etc/pam.d/sshd: ---------------- #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 /etc/pam.d/system-auth: ----------------------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 200 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so auth required pam_env.so auth optional pam_gnome_keyring.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_typepassword sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so password requisite pam_cracklib.so password optional pam_gnome_keyring.so use_authtok password sufficient pam_unix.so use_authtok nullok shadow try_first_pass password required pam_sss.so use_authtok session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session sufficient pam_sss.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm With kind regards, ulrich
On 05/08/2015 08:14 AM, Ulrich Hiller wrote:> With kind regards, ulrichHm. I don't *see* the problem, so let me go about this in the opposite direction. I added the host controls to one of my systems, and they appear to work properly. My configuration files were *mostly* written by "authconfig". It looks like you've done some manual tweaking with YaST examples. Some of the PAM stuff looks like it was tacked-on at the end of a sequence without understanding how PAM flow control works. (Minor aside: you may have used authconfig --enablemd5, which weakens security somewhat. I believe the default is equivalent to authconfig --passalgo=sha256) Your sssh pam file referenced password-auth (/etc/pam.d/password-auth) which should be a separate file from system-auth, but should have identical content. I recommend starting with a completely clean system, setting up authentication with authconfig, and then modifying sssd.conf one setting at a time as you work toward your desired configuration. /etc/sss/sssd.conf: ------ [domain/default] autofs_provider = ldap cache_credentials = True krb5_realm = PRIVATE.EXAMPLE.NET ldap_search_base = dc=private,dc=example,dc=net krb5_server = directory.private.example.net:88 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://directory.private.example.net/ ldap_tls_cacertdir = /etc/openldap/cacerts krb5_store_password_if_offline = True krb5_kpasswd = directory.private.example.net:749 access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] [pac] ------ /etc/pam.d/system-auth-ac ------ #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_typepassword sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ------
On May 8, 2015, at 11:14 AM, Ulrich Hiller <hiller at mpia-hd.mpg.de> wrote:> > /etc/pam.d/system-auth: > ----------------------- > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 200 quiet_success > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > auth required pam_env.so > auth optional pam_gnome_keyring.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 2000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > account requisite pam_unix.so try_first_pass > account sufficient pam_localuser.so > account required pam_sss.so use_first_pass > account sufficient pam_localuser.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type> password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > password requisite pam_cracklib.so > password optional pam_gnome_keyring.so use_authtok > password sufficient pam_unix.so use_authtok nullok > shadow try_first_pass > password required pam_sss.so use_authtok > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session sufficient pam_sss.so > session required pam_unix.so try_first_pass > session optional pam_umask.so > session optional pam_gnome_keyring.so auto_start > only_if=gdm,gdm-password,lxdm,lightdmIs it normal to have pam_unix and pam_sss twice for each each section? -- Jonathan Billings <billings at negate.org>
On 05/09/2015 01:24 PM, Jonathan Billings wrote:> Is it normal to have pam_unix and pam_sss twice for each each section?No. See my previous message. I think it's the result of copying portions of SuSE configurations.
It's not normal to have pam_unix.so twice in each group. That said, I am not used to seeing nullok in these as well. (The environment I work in requires it removed, so that's why it's strange to see.) pam_systemd.so and md5? I wanted to clean this up a bit, but I am going to stop now, cause I see the reference of Centos 5 based info and CentOS 7 stuff. I will have to see what's changed between the both. Here's what I have thus far. #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 200 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so auth optional pam_gnome_keyring.so account required pam_unix.so broken_shadow try_first_pass account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_typepassword sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so password requisite pam_cracklib.so password optional pam_gnome_keyring.so use_authtok password required pam_sss.so use_authtok session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so try_first_pass session sufficient pam_sss.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Jonathan Billings Sent: Saturday, May 09, 2015 4:25 PM To: CentOS mailing list Subject: Re: [CentOS] ldap host attribute is ignored On May 8, 2015, at 11:14 AM, Ulrich Hiller <hiller at mpia-hd.mpg.de> wrote:> > /etc/pam.d/system-auth: > ----------------------- > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 200 quiet_success > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > auth required pam_env.so > auth optional pam_gnome_keyring.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 2000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > account requisite pam_unix.so try_first_pass > account sufficient pam_localuser.so > account required pam_sss.so use_first_pass > account sufficient pam_localuser.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type> password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > password requisite pam_cracklib.so > password optional pam_gnome_keyring.so use_authtok > password sufficient pam_unix.so use_authtok nullok > shadow try_first_pass > password required pam_sss.so use_authtok > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session sufficient pam_sss.so > session required pam_unix.so try_first_pass > session optional pam_umask.so > session optional pam_gnome_keyring.so auto_start > only_if=gdm,gdm-password,lxdm,lightdm-- Jonathan Billings <billings at negate.org> _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos