Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 12-10-2008, 09:26 AM
ecrist ecrist is offline
Registered User
 
Join Date: Dec 2008
Posts: 10
Configuration of PAM authentication with PADL's pam_ldap

Hello,

We're trying to roll LDAP authentication into our vshell installation (vShell Enterprise, 3.0.4 on FreeBSD 6.3p1) I don't see anything in the man pages about where the vshelld PAM config should reside, so I'm assuming it's within the default (/usr/local/etc/).

I've updated the vshelld.pam config file to read as follows:
Code:
# PAM configuration for the "vshelld" service
#

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
This config works fine for our native sshd, pure-ftpd, and our base system. vShelld only gives me the following error:
Code:
Dec 10 10:21:12 angola vshelld[50869]: auth,00001: PAM authentication failure for user ecrist
Is there something I'm missing, or a document someone can direct me to?
Reply With Quote
  #2  
Old 12-11-2008, 10:26 AM
kbarnette kbarnette is offline
VanDyke Technical Support
 
Join Date: Aug 2007
Posts: 587
Hi ecrist,

It should be possible to configure what it is you have described, but we'll need a little more information to understand more about your environment.

Are you authenticating with keyboard-interactive or password authentication?

Could you send us vshell log output with 'LogTopicDebug' set to 'True' in the vshelld_config file for both a keyboard-interactive authentication attempt as well as a password authentication attempt?

Also, could you provide us with the pam configuration files for sshd and vshelld?

Note: Since the information I am requesting can contain information that should not be posted to a public forum, feel free to send your response to support@vandyke.com with the subject of your e-mail set to 'Attn: Kevin Forum Thread 3339'.
Reply With Quote
  #3  
Old 12-12-2008, 07:51 AM
ecrist ecrist is offline
Registered User
 
Join Date: Dec 2008
Posts: 10
Question

I'll edit out private bits so this can be available to others. This is password authentication from the log file:

Code:
Dec 12 08:36:36 angola vshelld[4090]: conn,00001: Connection accepted from 172.30.1.21:52131 
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] SSH2Core version 4.3.0.656  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Using protocol SSH2  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] RECV : Remote Identifier = "SSH-2.0-OpenSSH_5.1"  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote can re-key  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote sends language in password change requests  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote sends algorithm name in PK_OK packets  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote sends algorithm name in public key packets  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote sends algorithm name in signatures  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote sends error text in open failure packets  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote sends name in service accept packets  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote includes port number in x11 open packets  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote uses 160 bit keys for SHA1 MAC  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote supports new diffie-hellman group exchange messages  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote correctly handles unknown SFTP extensions  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote correctly encodes OID for gssapi  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote correctly uses connected addresses in forwarded-tcpip requests  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote can do SFTP version 4  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] CAP  : Remote x.509v3 uses ASN.1 encoding for DSA signatures  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] SEND : KEXINIT  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] RECV : Read kexinit  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Selected Kex Method = diffie-hellman-group-exchange-sha1  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Available Remote Host Key Algos = ssh-rsa,ssh-dss  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Selected Host Key Algo = ssh-dss  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Available Remote Send Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Selected Send Cipher = aes128-cbc  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Available Remote Recv Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Selected Recv Cipher = aes128-cbc  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Available Remote Send Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Selected Send Mac = hmac-md5  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Available Remote Recv Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Selected Recv Mac = hmac-md5  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Available Remote Compressors = none,zlib@openssh.com,zlib  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Selected Compressor = none  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Available Remote Decompressors = none,zlib@openssh.com,zlib  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Selected Decompressor = none  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] RECV : KEXDH_GEX_REQUEST  
Dec 12 08:36:36 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] SEND : KEXDH_GEX_GROUP  
Dec 12 08:36:37 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] RECV : KEXDH_INIT  
Dec 12 08:36:37 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] SEND : KEXDH_REPLY  
Dec 12 08:36:37 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] SEND : NEWKEYS  
Dec 12 08:36:37 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Changing state from STATE_KEY_EXCHANGE to STATE_EXPECT_NEWKEYS  
Dec 12 08:36:37 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] RECV : NEWKEYS  
Dec 12 08:36:37 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION  
Dec 12 08:36:37 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] RECV: SERVICE_REQUEST[ssh-userauth]  
Dec 12 08:36:37 angola vshelld[4090]: dbg ,00001: [LOCAL DEBUG] SEND: SERVICE_ACCEPT[ssh-userauth]  
Dec 12 08:36:37 angola vshelld[4090]: auth,00001: none for user ecrist rejected because it is unavailable 
Dec 12 08:36:38 angola vshelld[4090]: auth,00001: Received unsigned public key; checking authorization (fingerprint: ###FINGERPRINT###) 
Dec 12 08:36:38 angola vshelld[4090]: auth,00001: Searching /home/ecrist/.vshell/publickey for matching public key 
Dec 12 08:36:38 angola vshelld[4090]: auth,The public key folder '/home/ecrist/.vshell/publickey' cannot be used for authentication: No such file or directory 
Dec 12 08:36:38 angola vshelld[4090]: auth,00001: publickey for user ecrist rejected 
Dec 12 08:36:41 angola vshelld[4090]: nss_ldap: failed to bind to LDAP server ldaps://ldap: Can't contact LDAP server
Dec 12 08:36:42 angola vshelld[4090]: nss_ldap: reconnected to LDAP server ldaps://ldap2
Dec 12 08:36:42 angola vshelld[4090]: auth,00001: PAM authentication failure for user ecrist  
Dec 12 08:36:42 angola vshelld[4090]: auth,00001: password for user ecrist rejected
Our sshd PAM config is:
Code:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15.12.1 2007/08/17 11:28:25 yar Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
Our vshelld PAM config is:
Code:
# PAM configuration for the "vshelld" service
#

# auth
auth		required	pam_nologin.so		no_warn
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass

# account
#account 	required	pam_krb5.so
account		required	pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
account		required	pam_unix.so

# session
#session 	optional	pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so
session		required	pam_permit.so

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass
Reply With Quote
  #4  
Old 12-12-2008, 02:57 PM
kbarnette kbarnette is offline
VanDyke Technical Support
 
Join Date: Aug 2007
Posts: 587
Hi ecrist,

The VShell log you provided indicates the password authentication is being attempted.

Can you change you ssh client to attempt keyboard-interactive authentication, and send me the resulting vshelld debug log output?
Reply With Quote
  #5  
Old 12-15-2008, 08:33 AM
ecrist ecrist is offline
Registered User
 
Join Date: Dec 2008
Posts: 10
Post

Sure, I've added to AuthenticationsAllowed keyboard-interactive, and my client indicates use of keyboard-interactive. I've attached the log file here, as it's too long for the forum.
Attached Files
File Type: txt vshell_errs.txt (27.7 KB, 172 views)
Reply With Quote
  #6  
Old 12-15-2008, 11:33 AM
kbarnette kbarnette is offline
VanDyke Technical Support
 
Join Date: Aug 2007
Posts: 587
Hi ecrist,

Thanks for the information.

I have submitted the information you have provided to our development database for investigation. In the event that progress is made in relation to this issue, we will post to this forum thread.
Reply With Quote
  #7  
Old 12-22-2008, 07:51 AM
ecrist ecrist is offline
Registered User
 
Join Date: Dec 2008
Posts: 10
Timeline?

Is there a timeline to a fix for this? We purchased this software a year ago with the understanding it would honor our PAM configuration. We've rolled LDAP out to all our other systems, this daemon being the exception.
Reply With Quote
  #8  
Old 12-22-2008, 12:07 PM
kbarnette kbarnette is offline
VanDyke Technical Support
 
Join Date: Aug 2007
Posts: 587
Hi ecrist,

Since our investigation on the issue is still in its infancy it is hard to tell if this is a configuration issue or a bug in VShell.

Could you provide verbose output from the client side of the keyboard-interactive authentication attempt?

Also, could you provide me with your current vshelld_config file?
Reply With Quote
  #9  
Old 01-12-2009, 12:10 PM
ecrist ecrist is offline
Registered User
 
Join Date: Dec 2008
Posts: 10
didn't see this post

Hello,

I wasn't subscribed to this thread, so I didn't see your post until today. I've got both the server debug info and the client -vvv info. I've attached these files for your review.
Attached Files
File Type: txt client.log.txt (6.5 KB, 202 views)
File Type: txt server.log.txt (8.2 KB, 221 views)
File Type: txt vshelld_config.txt (9.5 KB, 253 views)
Reply With Quote
  #10  
Old 01-12-2009, 02:09 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
One thing I see that may be a problem is that your vshelld_config file does not allow keyboard interactive authentication. Here's a snippet from your vshelld_config:
Quote:
AuthenticationsAllowed { } # If this setting is not defined the following methods are allowed: publickey, password, gssapi-with-mic and gssapi-keyex. To allow keyboard-interactive or other methods, they must be listed explicitly.
Your client and VShell log files show that you're attempting keyboard-interactive. The following VShell log file message looks like VShell rejects keyboard-interactive.
Quote:
Jan 12 13:03:08 angola vshelld[70360]: auth,00001: keyboard-interactive for user ecrist rejected
The vshelld_config man page shows that the values you can use for AuthenticationsAllowed are: publickey, password, gssapi-with-mic, gssapi-keyex, keyboard-interactive. I think you'll want an uncommented AuthenticationsAllowed line like this:
AuthenticationsAllowed { publickey, password, gssapi-with-mic and gssapi-keyex, keyboard-interactive }
Due to the sensitive nature of log files and configuration files I'd like to move this discussion to e-mail.

Could you send an e-mail message to support@vandyke.com with a subject of Forum Thread #3339?

Also, would you attach a copy of your pam.conf file to the e-mail message?
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #11  
Old 01-13-2009, 08:14 AM
ecrist ecrist is offline
Registered User
 
Join Date: Dec 2008
Posts: 10
As I've already mentioned, I'd rather do this here, for other users' edification. I've been pulling IPs and FQDNs out of the logs, as I post them.

In my previous post, I sent the wrong config file. I sent our production config, which isn't currently built for PAM/LDAP. I've attached our testing system config file, which does have the uncommented AuthenticationsAllowed entry.

I was told earlier in this post, or via email, that I need keyboard-interactive for PAM support. With 'AuthenticationsAllowed {keyboard-interactive}', I do see the line:
Code:
Jan 13 09:09:21 angola vshelld[61304]: auth,00001: keyboard-interactive for user ecrist rejected
The log file that was sent above, was against the server running the config posted in this message.
Attached Files
File Type: txt vshelld_config.txt (9.5 KB, 197 views)
Reply With Quote
  #12  
Old 01-13-2009, 08:37 AM
ecrist ecrist is offline
Registered User
 
Join Date: Dec 2008
Posts: 10
I added password and the gssapi authentication methods to the AuthenticationsAllowed stanza, and I've attached the log output from the vshell daemon. It appears as though keyboard-interactive is still being rejected by vshell.
Attached Files
File Type: txt vshell_debug.txt (7.9 KB, 181 views)
Reply With Quote
  #13  
Old 01-13-2009, 11:01 AM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Hi ecrist,

Thanks for sending the vshelld_config for the server in use. It looks fine and you didn't need to add password and the gssapi authentication methods to the AuthenticationsAllowed stanza if you're only trying to get keyboard-interactive authentication to work.

I see your vshelld.pam file in an earlier post. I'll do some tests with what you've provided and post here when I have results.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]

Last edited by miked; 01-13-2009 at 11:22 AM.
Reply With Quote
  #14  
Old 01-13-2009, 01:36 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Keyboard-interactive authentication with vshelld works for me, but I'm not using LDAP and do not have an LDAP test environment at this time. It will require further investigation. As Kevin mentioned, the information you have provided has been added to our development database for further investigation and if we have additional information about LDAP configuration with PAM we'll post a follow up message to this post.

I found some information here discussing LDAP and PAM. Since the information is from a FreeBSD mailing list archive and the article is about pam.d and ldap, I hope it provides some information or sparks an idea about directories and files you might need to check. Since FreeBSD typically ships with OpenSSH, it wouldn't surprise me if there are some default stub files in place that work out of the box for your particular flavor of Unix.

Although your goal is ultimately to have keyboard-interactive working with PAM and LDAP, perhaps it would be useful to try to narrow in on where the problem occurs. Is it the PAM authentication portion that's breaking down, or is it the LDAP setup?

Can you use keyboard-interactive if you use a PAM configuration file similar to the one I've attached? If keyboard-interactive does work without LDAP involved, I think that would suggest looking at the LDAP configuration directories and files.

I've attached the relevant PAM and VShell configuration files in case they're useful for you to double check against, or anybody else is interested in a functional PAM configuration without LDAP.
Attached Files
File Type: txt pam.d.vshelld.txt (452 Bytes, 174 views)
File Type: txt vshelld_config.txt (11.0 KB, 210 views)
File Type: txt SecureCRT.trace-options.txt (3.9 KB, 160 views)
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #15  
Old 01-20-2009, 01:13 PM
ecrist ecrist is offline
Registered User
 
Join Date: Dec 2008
Posts: 10
got it working

I was talking with Todd (VanDyke Support) today, and for some reason it jostled my brain. The end result was moving the default vshelld.pam PAM config file to /usr/local/etc/pam.d/vshelld (no .pam extension). With my pam_ldap changes mentioned earlier in this thread, all seems to be working, including access restrictions.

I've got a fairly comprehensive OpenLDAP authentication page written on my wiki at http://www.secure-computing.net/wiki/index.php/OpenLDAP if others are interested. I'll post a synopsis of configuring Vshell with PAM and OpenLDAP, which should apply to FreeBSD and Linux systems.

Thanks for the help.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 01:01 PM.