Hello, I have recently compiled and installed release 3.8.1p1. This was done on a Solaris 8 system using LDAP as its naming service. The new release, however, will not let me log in (as a regular user). I repeatedly get "Permission denied, please try again" messages. The root user, though, can log in okay. The same thing happened with the 3.7.1p2 release. The 3.6.1p1 release (which is currently running on the machine) works okay, however. All were compiled in the same manner (--prefix=/opt/openssh as the only arg). So, it seems something changed between the 3.6.1p1 release and the 3.7.1p2 release with regards to LDAP that affects user authentication. I was in hopes this would be "corrected" with the 3.8.1p1 release, but it seems it has not. Both the 3.7.1p2 and 3.8.1p1 releases, however, work fine on machines using NIS as the naming service. It would appear, then, that openssh is having trouble with the LDAP name service and user authentication. The root user is allowed access probably due to the fact that its account info is local to the machine (/etc/passwd), and is not obtained through the name service. Any help/info on running the current release of openssh with LDAP would be greatly appreciated. Thanks, -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735
On Jun 11, 2004, at 11:03 AM, Steve Belt (rgpg70) wrote:> I have recently compiled and installed release 3.8.1p1. This was done > on a Solaris 8 system using LDAP as its naming service. The new > release, however, will not let me log in (as a regular user). I > repeatedly get "Permission denied, please try again" messages. The > root user, though, can log in okay. The same thing happened with the > 3.7.1p2 release. The 3.6.1p1 release (which is currently running on > the machine) works okay, however. All were compiled in the same > manner (--prefix=/opt/openssh as the only arg). > > So, it seems something changed between the 3.6.1p1 release and the > 3.7.1p2 release with regards to LDAP that affects user authentication. > I was in hopes this would be "corrected" with the 3.8.1p1 release, but > it seems it has not. Both the 3.7.1p2 and 3.8.1p1 releases, however, > work fine on machines using NIS as the naming service. It would > appear, then, that openssh is having trouble with the LDAP name > service and user authentication. The root user is allowed access > probably due to the fact that its account info is local to the machine > (/etc/passwd), and is not obtained through the name service. > > Any help/info on running the current release of openssh with LDAP > would be greatly appreciated.You have to enable UsePAM. I'm assuming you're using pam_ldap and nss_ldap for your authentication. This has been discussed previously on the list. Setting UsePAM yes should do the trick for you. -- OpenSLS - Secure Linux Server: http://opensls.org/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040611/572388b1/attachment.bin