服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Solaris pam_ldap身份validation使用sshd-kbdint和失败
Intereting Posts
Kerberos SSO浏览器集成? 如何在USN回滚之后保存域控制器而不重build整个服务器? 如何在CentOS中坚持resolv.conf选项,例如rotate,timeout? 根目录无法访问目录 – 访问被拒绝 将tcp连接重新路由到远程服务器,以便它们连接到本地主机 国产开源千兆防火墙企业级 域控制器推广和证书自动注册 为PostgresQL数据库select正确的RAID级别 Nexentastor CE Supermicro X10DRL-I 无法访问属于AWS中的安全组的所有服务器 有没有办法告诉一个机器在安全组里有多久? 运行Linux的USB存储驱动器会导致BIND性能不佳? Windows上的Nginx与ASP.NET和Microsoft .NET框架? 甚至在MAXDOP = 1的情况下,SQL Server中的高CXPACKET等待types 替代品/竞争对手RWWGuard 2008

Solaris pam_ldap身份validation使用sshd-kbdint和失败

问题概述

已将Solaris 11configuration为使用pam_ldap根据符合LDAP v3的目录服务器对用户进行身份validation。 Solaris主机仅configuration为使用LDAP进行身份validation; 它没有被configuration为使用LDAP作为命名服务。

当有效用户尝试ssh到Solaris主机时,pam_ldap模块会向LDAP服务器提交一个BIND请求,并获得成功的响应。 但是,Solaris仍然拒绝用户访问。

需要解决的问题:如何完成我的PAMconfiguration以允许用户使用LDAP身份通过ssh向Solaris主机进行身份validation?

用户是既存在于主机上(在/ etc / passwd和/ etc / shadow文件中)又存在于LDAP上的有效用户。 帐户没有locking在LDAP上,用户可以正确validation(BIND)到LDAP:

$ldapsearch -h <REMOVED> -p 389 -b ou=people,o=som,dc=com -D "uid=testuser,ou=people,o=som,dc=com" -W uid=testuser LDAP Password: 

 dn: uid=testuser,ou=People,o=som,dc=com uid: testuser cn: Test User objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowInactive: 7 loginShell: /bin/bash uidNumber: 1176 homeDirectory: /home/testuser gecos: Test User gidnumber: 501 shadowmax: 91 shadowmin: 7 shadowwarning: 28 userpassword:: <REMOVED> shadowflag: 22352 shadowlastchange: 16115

debugging信息

在LDAP服务器上,您可以看到用户已成功通过身份validation: 

 Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.324-5:00--Success base: ou=people,o=som,dc=com scope: singleLevel derefAliases: derefAlways typesOnly: false filter: (&(objectclass=SOLARISUSERATTR)(uid=testuser)) attributes: uid, SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue numberOfEntriesReturned: 0 AuditV3--2014-02-17-10:53:02.332-5:00--V3 Bind--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.332-5:00--Success name: cn=proxyAgent,ou=Profile,o=som,dc=com authenticationChoice: simple Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.333-5:00--Success base: ou=people,o=som,dc=com scope: singleLevel derefAliases: derefAlways typesOnly: false filter: (&(objectclass=POSIXACCOUNT)(uid=testuser)) numberOfEntriesReturned: 1 **Bind--bindDN: uid=testuser,ou=People,o=som,dc=com--client: <REMOVED>:12241--connectionID: 103360--received: 2014-02-17-10:53:02.335-5:00--Success name: uid=testuser,ou=People,o=som,dc=com authenticationChoice: simple** Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.985-5:00--Success base: ou=people,o=som,dc=com scope: singleLevel derefAliases: derefAlways typesOnly: false filter: (&(objectclass=POSIXACCOUNT)(uidnumber=10011)) attributes: cn, uid, uidNumber, gidNumber, gecos, description, homeDirectory, loginShell numberOfEntriesReturned: 1

loginSolaris主机客户端显示PAM LDAP模块提交了用户的凭证。 然而,当LDAP服务器在BIND操作上返回成功时,Solaris报告authentication失败。 请注意使用sshd-kbdinit

  [auth.info] reprocess config line 160: ignoring RhostsRSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option. [auth.info] reprocess config line 167: ignoring RSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option. [auth.notice] Failed none for test user from <REMOVED> port 54650 ssh2 [auth.debug] ldap pam_sm_authenticate(sshd-kbdint testuser), flags = 1 [auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed [auth.notice] Failed keyboard-interactive for test user from <REMOVED> port 54650 ssh2 [auth.info] Connection closed by <REMOVED>

configuration详情

Solaris主机客户端

的/ etc / SSH / sshd_config中 

 Protocol 2 Port 22 ListenAddress :: AllowTcpForwarding no GatewayPorts no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes MaxStartups 30:60:120 Banner /etc/issue PrintMotd no KeepAlive yes ClientAliveInterval 120 ClientAliveCountMax 60 SyslogFacility auth LogLevel info HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 KeyRegenerationInterval 3600 StrictModes yes LoginGraceTime 600 MaxAuthTries 3 MaxAuthTriesLog 0 PermitEmptyPasswords no PasswordAuthentication yes PAMAuthenticationViaKBDInt yes PermitRootLogin yes Subsystem sftp /usr/lib/ssh/sftp-server IgnoreRhosts yes RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes KbdInteractiveAuthentication yes

ldapclient从服务器利用ldapclientconfiguration文件。 

 $ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyAgent,ou=Profile,o=som,dc=com NS_LDAP_BINDPASSWD= <REMOVED> NS_LDAP_SERVERS= HOST1-IP:389, HOST2-IP:389 NS_LDAP_SEARCH_BASEDN= o=som,dc=com NS_LDAP_AUTH= simple NS_LDAP_SERVER_PREF= HOST1:389, HOST2:389 NS_LDAP_PROFILE= default NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,o=som,dc=com NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=people,o=som,dc=com NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,o=som,dc=com?sub NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple NS_LDAP_ENABLE_SHADOW_UPDATE= TRUE

pam.confpam.d / 服务

/etc/pam.conf (只显示相关部分) 

 login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 debug login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 debug

/etc/pam.d/login (只显示相关部分) 

 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_cred.so.1 auth binding pam_unix_auth.so.1 server_policy auth required pam_ldap.so.1 debug auth required pam_dial_auth.so.1

/etc/pam.d/other (只显示相关部分) 

 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_cred.so.1 auth binding pam_unix_auth.so.1 server_policy auth required pam_ldap.so.1 debug

nsswitch.conf (通过使用svccfg修改了nsswitch.conf,导致了以下nsswitch.conf文件) 

 passwd: files ldap group: files ldap hosts: files [SUCCESS=return] dns ipnodes: files [SUCCESS=return] dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files automount: files aliases: files services: files printers: user files project: files auth_attr: files prof_attr: files tnrhtp: files tnrhdb: files sudoers: files

LDAP服务器

该主机充当Tivoli Directory Server v 6.3(ITDS)的客户端。 假设所有正确的模式修改已经完成。 (我为ITDS添加了所有必需的RFC2307bis,NIS和Solaris模式元素。)

事实certificate,问题在于/etc/pam.conf和** / etc / pam.d / *文件中使用的“binding”control_type关键字。

通过将文件中的pam_unix_auth.so.1行replace为'binding'的所有实例,现在可以进行身份​​validation。 举个例子: 

 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 debug

应该成为 

 login auth sufficient pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 debug

一定要在需要使用LDAP身份validation的地方执行此操作。