Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 158481 - Authentication failure in ssh when using pam_ldap
Summary: Authentication failure in ssh when using pam_ldap
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh
Version: 4.0
Hardware: i386
OS: Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-22 20:26 UTC by OuTian
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-08-03 08:25:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description OuTian 2005-05-22 20:26:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2

Description of problem:
When using pam_ldap to obtain account/group from LDAP server ,
It works in RHEL3 , but have some problems in RHEL 4.

After config by "authconfig" , the server could be login by accounts in LDAP server from console and telnet-server , but not work from ssh.

But after downgrade the openssh to the same versoin as RHEL3 used , everything works fine.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. set up pam_ldap and nss_ldap
2. make sure the server can obtain account by "getent passwd"

Actual Results:  login from console and telnet are ok ,
but ssh not work , always show "password incorrect".

Expected Results:  The server must be login by accounts in LDAP server from console/telnet/ssh .

Additional info:

Comment 1 Tomas Mraz 2005-05-23 06:57:19 UTC
This must be some configuration problem. Could you please attach snippets from
the /var/log/messages and /var/log/secure when you're trying to connect to the sshd?

Comment 2 OuTian 2005-05-23 15:08:47 UTC
Without any message in /var/log/messages ,
but only in /var/log/secure when I trying to ssh to the server , like this :

May 24 01:14:48 OuTian-VM-AS4 sshd[2085]: Failed password for outian from
::ffff: port 2878 ssh2

But when I enable telnetd , It works with the same username/password from telnet.

When I remove the openssh in RHEL 4 ,
and install previous version in RHEL3 ( of course , with some library ) ,
it works fine !

So I think it's the problem of openssh in RHEL 4 ?

Comment 3 Tomas Mraz 2005-05-23 15:48:21 UTC
Could you please attach your /etc/pam.d/system-auth and /etc/pam.d/sshd here?

Comment 4 OuTian 2005-05-23 16:06:32 UTC
After configure by "authconfig" ,

/etc/pam.d/system-auth :

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/
auth        sufficient    /lib/security/$ISA/ likeauth nullok
auth        sufficient    /lib/security/$ISA/ use_first_pass
auth        required      /lib/security/$ISA/

account     required      /lib/security/$ISA/ broken_shadow
account     sufficient    /lib/security/$ISA/ uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required      /lib/security/$ISA/

password    requisite     /lib/security/$ISA/ retry=3
password    sufficient    /lib/security/$ISA/ nullok use_authtok md5
password    sufficient    /lib/security/$ISA/ use_authtok
password    required      /lib/security/$ISA/

session     required      /lib/security/$ISA/
session     required      /lib/security/$ISA/
session     optional      /lib/security/$ISA/

/etc/pam.d/sshd :

auth       required service=system-auth
auth       required
account    required service=system-auth
password   required service=system-auth
session    required service=system-auth

Comment 5 Tomas Mraz 2005-05-23 16:43:59 UTC
Could you please use the Issue Tracker to request solving the problem through
the support?

Comment 6 Tomas Mraz 2005-08-03 08:25:57 UTC
Not enough information from reporter.
I suppose there are some problems with account information stored in the ldap

Comment 7 OuTian 2005-08-03 09:23:35 UTC
(In reply to comment #6)
> Not enough information from reporter.
> I suppose there are some problems with account information stored in the ldap
> server.

No , I don't think so .

Because when I using RHEL 4 Update 1 , the problem was solved .

anyway , still thank for you .

Note You need to log in before you can comment on or make changes to this bug.