Andrew.Wong at nab.com.au
2006-Jun-20 00:51 UTC
unable to login with LDAP when set Uselogin to yes
Hi, I am not sure this is a bug in Openssh or not. I am running Openssh 4.1p1. with openssl 0.9.7g Scenario: Due to audit enabled on the system, I will need to set Uselogin to yes so that audit will track system call. But when try to login to system with a LDAP user. I get the following. eg: [n113839 at r3ent15pc ~]$ ssh tfstst1 -l ntesting1 ntesting1 at tfstst1's password: Login incorrect Connection to tfstst1 closed. [n113839 at r3ent15pc ~]$ My sshd_config: # $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /usr/local/etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /usr/local/etc/ssh_host_rsa_key #HostKey /usr/local/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no # For auditing UseLogin yes #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/local/libexec/sftp-server Can you able to help ? Regards Andrew ____________________________________________________ Andrew Wong Enterprise System Operation Platform Service Southern Star Technology, National Australia Bank 1/122 Lewis Road, Wantirna South 3152 Phone: (03) 9886 2844 Ext x32844 Email: andrew_wong at national.com.au (andrew.wong at nab.com.au) __________________________________________________ National Australia Bank Ltd - ABN 12 004 044 937 This email may contain confidential information. If you are not the intended recipient, please immediately notify us at postmaster at nab.com.au or by replying to the sender, and then destroy all copies of this email. Except where this email indicates otherwise, views expressed in this email are those of the sender and not of National Australia Bank Ltd. Advice in this email does not take account of your objectives, financial situation, or needs. It is important for you to consider these matters and, if the e-mail refers to a product(s), you should read the relevant Product Disclosure Statement(s)/other disclosure document(s) before making any decisions. If you do not want email marketing from us in future, forward this email with "unsubscribe" in the subject line to Unsubscriptions at nab.com.au in order to stop marketing emails from this sender. National Australia Bank Ltd does not represent that this email is free of errors, viruses or interference.
Andrew.Wong at nab.com.au
2006-Jun-27 23:25 UTC
unable to login with LDAP when set Uselogin to yes
Hi, I am not sure this is a bug in Openssh or not. I am running Openssh 4.1p1. with openssl 0.9.7g Scenario: Due to audit enabled on the system, I will need to set Uselogin to yes so that audit will track system call. But when try to login to system with a LDAP user. I get the following. eg: [n113839 at r3ent15pc ~]$ ssh tfstst1 -l ntesting1 ntesting1 at tfstst1's password: Login incorrect Connection to tfstst1 closed. [n113839 at r3ent15pc ~]$ My sshd_config: # $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /usr/local/etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /usr/local/etc/ssh_host_rsa_key #HostKey /usr/local/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no # For auditing UseLogin yes #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/local/libexec/sftp-server Can you able to help ? Regards Andrew ____________________________________________________ Andrew Wong Enterprise System Operation Platform Service Southern Star Technology, National Australia Bank 1/122 Lewis Road, Wantirna South 3152 Phone: (03) 9886 2844 Ext x32844 Email: andrew_wong at national.com.au (andrew.wong at nab.com.au) __________________________________________________ National Australia Bank Ltd - ABN 12 004 044 937 This email may contain confidential information. If you are not the intended recipient, please immediately notify us at postmaster at nab.com.au or by replying to the sender, and then destroy all copies of this email. Except where this email indicates otherwise, views expressed in this email are those of the sender and not of National Australia Bank Ltd. Advice in this email does not take account of your objectives, financial situation, or needs. It is important for you to consider these matters and, if the e-mail refers to a product(s), you should read the relevant Product Disclosure Statement(s)/other disclosure document(s) before making any decisions. If you do not want email marketing from us in future, forward this email with "unsubscribe" in the subject line to Unsubscriptions at nab.com.au in order to stop marketing emails from this sender. National Australia Bank Ltd does not represent that this email is free of errors, viruses or interference.