Board index Solaris

Need pam.conf config help for RSH/REMSH and SSH authentication

Need pam.conf config help for RSH/REMSH and SSH authentication

Post by John_ » Wed, 02 Mar 2005 23:07:48



I just deployed Directory Server 5.2 to a number of our ancillary
servers using the pam.conf below.   This pam.conf works great for user
authentication through TELNET; however, it ended up breaking not only
Solaris' built-in RSH/REMSH functions but also OpenSSH on our clients,
all of which use Solaris 8, OpenSSH v3.7.1p2, and OpenSSL 0.9.7c, as
made available from SunFreeware.

If anyone tries to do an RSH using any user account that is stored in
LDAP, it immediately comes back with a failed login/authentication.

If anyone tries to log in with SSH, it askes for a password 3 times,
then asks for a user's password 3 times.

So, it's clear that I've missed something in the pam.conf.  I'm just not
sure where, and SunSolve is taking their own sweet time getting back to me.

Any assistance will be greatly appreciated.

# PAM configuration
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login  auth     requisite pam_authtok_get.so.1
login  auth     required  pam_dhkeys.so.1
login  auth     required  pam_dial_auth.so.1
login  auth     binding   pam_unix_auth.so.1 server_policy
login  auth     required  pam_ldap.so.1 use_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth     sufficient pam_rhosts_auth.so.1
rlogin  auth     requisite  pam_authtok_get.so.1
rlogin  auth     required   pam_dhkeys.so.1
rlogin  auth     binding    pam_unix_auth.so.1 server_policy
rlogin  auth     required   pam_ldap.so.1 use_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
#rsh     auth sufficient         pam_rhosts_auth.so.1
#rsh     auth required           pam_unix_auth.so.1
rsh  auth     sufficient pam_rhosts_auth.so.1
rsh  auth     requisite  pam_authtok_get.so.1
rsh  auth     required   pam_dhkeys.so.1
rsh  auth     binding    pam_unix_auth.so.1 server_policy
rsh  auth     required   pam_ldap.so.1 use_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth binding            pam_unix_auth.so.1 server_policy
ppp     auth required           pam_ldap.so.1 use_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth binding            pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1 use_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd auth     binding   pam_passwd_auth.so.1 server_policy
passwd auth     required  pam_ldap.so.1 use_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other  account  requisite pam_roles.so.1
other  account  required  pam_projects.so.1
other  account  binding   pam_unix_account.so.1 server_policy
other  account  required  pam_ldap.so.1 use_first_pass
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other  password required  pam_dhkeys.so.1
other  password requisite pam_authtok_get.so.1
other  password requisite pam_authtok_check.so.1
other  password required  pam_authtok_store.so.1 server_policy
other  password required  pam_ldap.so.1 use_first_pass
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

 
 
 
Top

Need pam.conf config help for RSH/REMSH and SSH authentication

Post by Neal A. Lucie » Wed, 02 Mar 2005 23:55:19



> I just deployed Directory Server 5.2 to a number of our ancillary
> servers using the pam.conf below.   This pam.conf works great for user
> authentication through TELNET; however, it ended up breaking not only
> Solaris' built-in RSH/REMSH functions but also OpenSSH on our clients,
> all of which use Solaris 8, OpenSSH v3.7.1p2, and OpenSSL 0.9.7c, as
> made available from SunFreeware.

> If anyone tries to do an RSH using any user account that is stored in
> LDAP, it immediately comes back with a failed login/authentication.

> If anyone tries to log in with SSH, it askes for a password 3 times,
> then asks for a user's password 3 times.

> So, it's clear that I've missed something in the pam.conf.  I'm just not
> sure where, and SunSolve is taking their own sweet time getting back to me.

> Any assistance will be greatly appreciated.

This is the pam.conf I use for Solaris 9 and DS 5.2.  I don't allow
rsh/telnet and I use Sun's ssh, so I'm not sure how useful it will be.
However, after a quick glance I've noticed you have more stuff in your
"rsh auth" section than I do, which may be causing you problems.

(BTW, this is the pam.conf I got back from Sun support after I utterly
failed at doing it myself.)

Neal Lucier

#

#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth binding            pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1 use_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth binding            pam_unix_auth.so.1 server_policy
rlogin  auth required           pam_ldap.so.1 use_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth binding            pam_unix_auth.so.1 server_policy
rsh     auth required           pam_ldap.so.1 use_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth binding            pam_unix_auth.so.1 server_policy
ppp     auth required           pam_ldap.so.1 use_first_pass
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth binding            pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1 use_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding            pam_passwd_auth.so.1 server_policy
passwd  auth required           pam_ldap.so.1 use_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

 
 
 
Top

Need pam.conf config help for RSH/REMSH and SSH authentication

Post by n.. » Thu, 03 Mar 2005 01:07:34




>> I just deployed Directory Server 5.2 to a number of our ancillary
>> servers using the pam.conf below.   This pam.conf works great for user
>> authentication through TELNET; however, it ended up breaking not only
>> Solaris' built-in RSH/REMSH functions but also OpenSSH on our clients,
>> all of which use Solaris 8, OpenSSH v3.7.1p2, and OpenSSL 0.9.7c, as
>> made available from SunFreeware.

>> If anyone tries to do an RSH using any user account that is stored in
>> LDAP, it immediately comes back with a failed login/authentication.

>> If anyone tries to log in with SSH, it askes for a password 3 times,
>> then asks for a user's password 3 times.

>> So, it's clear that I've missed something in the pam.conf.  I'm just not
>> sure where, and SunSolve is taking their own sweet time getting back to me.

>> Any assistance will be greatly appreciated.

> This is the pam.conf I use for Solaris 9 and DS 5.2.  I don't allow
> rsh/telnet and I use Sun's ssh, so I'm not sure how useful it will be.
> However, after a quick glance I've noticed you have more stuff in your
> "rsh auth" section than I do, which may be causing you problems.

> (BTW, this is the pam.conf I got back from Sun support after I utterly
> failed at doing it myself.)

[snip, pam.conf]

Apart from the above your pam.conf looks OK, but I'm at home
so can't verify. Please do verify the level of
patch 108993 you have installed. For working "passwd:" and "group:"
databases in /etc/nsswitch.conf (files ldap for both) you need at
level 108993-18. I'd recommend later versions for security fixes.
Also, if you also use "files ldap" for RBAC (auth_attr: and
exec_attr: in /etc/nsswitch.conf) you need at least 108993-38 as
that contains a fix for a big hole: giving someone 1 command with
(e)uid=0 for with RBAC via LDAP would give that person/role
(e)uid=0 for his/here complete session.

HTH, Erik.

 
 
 
Top

Need pam.conf config help for RSH/REMSH and SSH authentication

Post by John_ » Thu, 03 Mar 2005 01:36:53



> Apart from the above your pam.conf looks OK, but I'm at home
> so can't verify. Please do verify the level of
> patch 108993 you have installed. For working "passwd:" and "group:"
> databases in /etc/nsswitch.conf (files ldap for both) you need at
> level 108993-18. I'd recommend later versions for security fixes.
> Also, if you also use "files ldap" for RBAC (auth_attr: and
> exec_attr: in /etc/nsswitch.conf) you need at least 108993-38 as
> that contains a fix for a big hole: giving someone 1 command with
> (e)uid=0 for with RBAC via LDAP would give that person/role
> (e)uid=0 for his/here complete session.

It's revision 41.
 
 
 
Top

Need pam.conf config help for RSH/REMSH and SSH authentication

Post by John_ » Fri, 04 Mar 2005 03:08:46


Apparently, the 2005Q1 patches to Directory Server *break* remote
(RSH,RCP, REMSH) functionality as well as secure (SSH, SCP, SFTP)
functionality.  I did not run into any remote or secure problems in
Decemeber on an unpatches test server, but with the patched server,
they're broken.

Sun has a "T" (beta/unreleased) patch of two lib_ldap.so.1 replacement
libraries that also require the following modification to pam.conf.

Change:

      other  account  required  pam_ldap.so.1

to

      other  account  required  pam_ldap.so.1  nopass

You still need to authenticate with your password, unlike what the
"nopass" might suggest, but after doing that all remote and secure
functions worked without a problem.

Once again, Sun's dogma of "patches, patches, patches, or we won't help
you" comes back to bite them in the ass while causing headaches for the
customer.

 
 
 
Top

Need pam.conf config help for RSH/REMSH and SSH authentication

Post by n.. » Sat, 05 Mar 2005 08:15:02



> Apparently, the 2005Q1 patches to Directory Server *break* remote
> (RSH,RCP, REMSH) functionality as well as secure (SSH, SCP, SFTP)
> functionality.  I did not run into any remote or secure problems in
> Decemeber on an unpatches test server, but with the patched server,
> they're broken.

> Sun has a "T" (beta/unreleased) patch of two lib_ldap.so.1 replacement
> libraries that also require the following modification to pam.conf.

> Change:

>      other  account  required  pam_ldap.so.1

> to

>      other  account  required  pam_ldap.so.1  nopass

> You still need to authenticate with your password, unlike what the
> "nopass" might suggest, but after doing that all remote and secure
> functions worked without a problem.

> Once again, Sun's dogma of "patches, patches, patches, or we won't help
> you" comes back to bite them in the ass while causing headaches for the
> customer.

Hi John,

Do you mean patch 108993. What's the first revision to break SSH/SCP/SFTP
and what is the first (T) revision to unbreak it again? Could not find
info about this problem on sunsolve. What is the problem/bug ID?

TIA, Erik

 
 
 
Top

1. PAM (/etc/pam.conf).....Is It Needed?

I do not have much experience with PAM, but in conversations with
others relating to our Solaris servers (versions 2.6 thru 9), I'm under
the impression that we are not using it.

In a recent audit of some of our files, we were cited with having some
servers "less secure" than others simply by virtue of the entries
within /etc/pam.conf.  They do seem to differ, especially when
comparing the 2.6 servers with more current versions (7 thru 9).

My questions become: "IF we are not using PAM, I would presume that we
do not have a need to access the /etc/pam.conf file.  That being said,
do we even need it (i.e. can it be removed without serious
ramifications)?  How would one go about determining IF it is "actually"
being used?

Thanks.

2. X86 help!! P9000+KFC 15"

3. remsh/rsh and k-shell environment setup help needed

4. sendmail to uucp domain... fails

5. SRSS 3.0 pam.conf with LDAP authentication

6. Uninstall XFree package cleanly

7. SSH and PAM authentication

8. Machine type probing and compiling new kernel in RH 5.0

9. Solaris 10 pam.conf for LDAP authentication

10. open SSH 2.1.1 cannot connect with PAM authentication (redhat)

11. SSH and PAM authentication

12. SSH, Solaris and pam.conf

13. Need help with PAM: FAILED LOGIN ... Authentication failed


All times are UTC
Board index