Hi,
I changed my configuration to use ldap, but problem still exist:
pam_mount doesn't work through ssh.
Aug 21 13:13:30 test sshd[29441]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.10.100
user=madamczyk
Aug 21 13:13:30 test sshd[29439]: Accepted keyboard-interactive/pam
for madamczyk from 172.20.10.100 port 4615 ssh2
Aug 21 13:13:30 test sshd[29442]: pam_mount(pam_mount.c:510) error
trying to retrieve authtok from auth code
Aug 21 13:13:30 test sshd[29442]: pam_mount(pam_mount.c:162)
conv->conv(...): Conversation error
Aug 21 13:13:30 test sshd[29442]: pam_mount(pam_mount.c:513) error
trying to read password
Aug 21 13:13:30 test sshd[29442]: pam_unix(sshd:session): session
opened for user madamczyk by (uid=0)
It figured out, that after local login pam_mount works and I read that
it has something common with pam_stack.so.
I use new version of PAM 1.0.1 and there is a new syntax, where they
replaced pam_stack with include directives (more info you can find
here: http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml). Anyone
can help me out with this?
Once again my config files:
/etc/pam.d/system-auth
auth required pam_env.so
auth required pam_mount.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
password required pam_deny.so
session optional pam_mount.so
session required pam_limits.so
session sufficient pam_unix.so
session sufficient pam_ldap.so
/etc/pam.d/sshd
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
/etc/ssh/sshd_config
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
--
Best regards,
Michał Adamczyk
On Tue, Aug 19, 2008 at 11:25 AM, Michał Adamczyk <vanditboy@...> wrote:
> Hi everyone!
>
> I have Active Directory with Windows Services for Unix. I'm using
> system authentication through pam_winbind, users can login to linux
> machines using AD account. Also I need to use pam_mount (I have
> version 0.43) module with cifs, but I got this annoying message:
>
> Aug 18 16:13:00 test sshd[21555]: pam_winbind(sshd:auth): getting
> password (0x00000010)
> Aug 18 16:13:00 test sshd[21555]: pam_winbind(sshd:auth): pam_get_item
> returned a password
> Aug 18 16:13:00 test sshd[21555]: pam_winbind(sshd:auth): user
> 'madamczyk' granted access
> Aug 18 16:13:00 test sshd[21555]: pam_winbind(sshd:account): user 'madamczyk' OK
> Aug 18 16:13:00 test sshd[21555]: pam_winbind(sshd:account): user
> 'madamczyk' granted access
> Aug 18 16:13:00 test sshd[21550]: Accepted keyboard-interactive/pam
> for madamczyk from 172.20.10.100 port 2327 ssh2
> Aug 18 16:13:00 test sshd[21556]: pam_unix(sshd:session): session
> opened for user madamczyk by (uid=0)
> Aug 18 16:13:00 test sshd[21556]: pam_mount(pam_mount.c:511) error
> trying to retrieve authtok from auth code
> Aug 18 16:13:00 test sshd[21556]: pam_mount(pam_mount.c:163)
> conv->conv(...): Conversation error
> Aug 18 16:13:00 test sshd[21556]: pam_mount(pam_mount.c:514) error
> trying to read password
>
>
> I found post with problem similar to main:
> [URL="http://www.linuxquestions.org/questions/linux-security-4/pammount-problems-in-ssh-on-gentoo-553741/"]http://www.linuxquestions.org/questions/linux-security-4/pammount-problems-in-ssh-on-gentoo-553741/[/URL]
> but this solution doesn't work for me. I use pam-1.0.1.
>
> Here are my config files:
>
> /etc/pam.d/system-auth
>
>
> #%PAM-1.0
>
> auth required pam_env.so
> auth optional pam_mount.so
> auth sufficient pam_winbind.so use_first_pass
> auth required pam_unix.so use_first_pass
>
> #auth sufficient pam_unix.so try_first_pass likeauth nullok
> #auth required pam_group.so try_first_pass
> #auth sufficient pam_winbind.so try_first_pass
> #auth required pam_deny.so
>
> account sufficient pam_winbind.so
> account required pam_unix.so
>
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2
> ocredit=2 try_first_pass retry=3
> password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
> password required pam_deny.so
>
> session required pam_limits.so
> session required pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 silent
> session optional pam_mount.so
>
>
>
> /etc/pam.d/sshd
>
>
> #%PAM-1.0
>
> #auth required pam_shells.so
>
>
> auth include system-auth
> auth optional pam_mount.so use_first_pass
> auth required pam_nologin.so
>
> account include system-auth
> password include system-auth
> session include system-auth
>
>
>
> /etc/security/pam_mount.conf.xml
>
>
> ...
>
> <volume user="madamczyk" fstype="cifs" server="172.20.10.10"
> path="madamczyk" mountpoint="/home/madamczyk/workspace" />
>
>
>
>
> My questions are:
>
> where authtok is placed?
> why this doesn't work?
>
>
> Thanks for any help to resolve this problem.
>
> --
> Best regards,
>
> Michal Adamczyk
>
--
Best regards,
Michał Adamczyk
|