Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] SSH logins don't use PAM sshd or system-auth
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
kres
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jan 2003
Posts: 122
Location: Narnia

PostPosted: Mon Dec 05, 2016 6:51 pm    Post subject: [SOLVED] SSH logins don't use PAM sshd or system-auth Reply with quote

I've got SSH and LDAP set up on a box. LDAP passthrough on SSH works like a charm.

I have the pam_mkhomedir entry in my system-auth per RTFM:

/etc/pam.d/system-auth
Code:

auth            required        pam_env.so
auth            sufficient      pam_ldap.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so

account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_ldap.so
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so

session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022 debug
session         required        pam_limits.so
session         required        pam_env.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so
session         optional        pam_permit.so


Notice that debug statement at the end of the pam_mkhomedir, it's my trip wire. What I've been able to see is that system-auth never fires when I login to the system via ssh with either an LDAP user or a local user. In fact I've NEVER seen an ssh login trip anyone of my /etc/pam.d/configs.

CLI
Code:

mymac:~ melocal$ ssh joeuser@10.46.10.151
Last login: Mon Dec  5 13:18:22 2016 from 10.3.16.125
Could not chdir to home directory /home/joeuser: No such file or directory
joeuser@brown_app_aws / $


However, if I sudo or su to a new user once logged in, then BANG - the system-auth fires pam_mkhomedir.so does it's job (or evaluates the situation) and the new user gets their directory if they didn't all ready and I get a debug statement in my secure.log.

/var/log/secure.log
Code:

Dec  5 13:44:57 brown_app_aws sudo[3952]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/su - joeuser
Dec  5 13:44:57 brown_app_aws sudo[3952]: pam_mkhomedir(sudo:session): Home directory /root already exists.
Dec  5 13:44:57 brown_app_aws su[3954]: Successful su for joeuser by root
Dec  5 13:44:57 brown_app_aws su[3954]: + /dev/pts/0 root:joeuser
Dec  5 13:44:57 brown_app_aws su[3954]: pam_mkhomedir(su:session): Executing mkhomedir_helper.
Dec  5 13:44:58 brown_app_aws su[3954]: pam_mkhomedir(su:session): mkhomedir_helper returned 0


CLI
Code:

brown_app_aws ~ # sudo su - joeuser
Creating directory '/home/joeuser'.


I've tried to drop the pam_mkhomedir.so in sshd, system-login, basically everywhere I can think, and it never triggers with sshd logins. (Use flags verified with SSH PAM support, btw)

Thoughts?
_________________
Kres


Last edited by kres on Mon Dec 05, 2016 8:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
kres
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jan 2003
Posts: 122
Location: Narnia

PostPosted: Mon Dec 05, 2016 8:28 pm    Post subject: Reply with quote

Found it.

MAN sshd_config
Code:

     UsePAM  Enables the Pluggable Authentication Module interface.  If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication
             in addition to PAM account and session module processing for all authentication types.

             Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or
             ChallengeResponseAuthentication.

             If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user.  The default is “no”.


On a freeBSD system, or other systems the default is "yes".

Because of that, if you want to have PAM and SSHD work together in Gentoo, you have to have explicitly have the following line in your /etc/ssh/sshd_config file:

Code:
 UsePAM yes


PEBKAC - Too many disto's under the belt.
_________________
Kres
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum