FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 11-08-2010, 03:56 PM
Allan Hougham
 
Default SSH AllowGroups and LDAP authentication

Hi,

*

I need help with this issue, I setting sshd_config with "AllowGroups" but I canīt authenticate with LDAP, the groups are settings up,*this is my configuration:

Do you have any tutorial or guide for setting ssh authentication groups with LDAP?

This is the mistake, but the user ahougham is in "Search Group"

*

[root@ds03 log]# tail -f secure
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: kex: client->server aes256-ctr hmac-sha1 none
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: kex: server->client aes256-ctr hmac-sha1 none
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: SSH2_MSG_NEWKEYS sent
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: expecting SSH2_MSG_NEWKEYS
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: SSH2_MSG_NEWKEYS received
Nov* 6 04:09:22 ds03 sshd[7056]: debug1: KEX done
Nov* 6 04:09:33 ds03 sshd[7056]: debug1: userauth-request for user ahougham service ssh-connection method none
Nov* 6 04:09:33 ds03 sshd[7056]: debug1: attempt 0 failures 0
Nov* 6 04:09:33 ds03 sshd[7055]: User ahougham from 10.10.38.27 not allowed because none of user's groups are listed in AllowGroups
Nov* 6 04:09:33 ds03 sshd[7056]: input_userauth_request: invalid user ahougham
Nov* 6 04:09:33 ds03 sshd[7055]: debug1: PAM: initializing for "ahougham"
Nov* 6 04:09:33 ds03 sshd[7055]: debug1: PAM: setting PAM_RHOST to "10.10.38.27"
Nov* 6 04:09:33 ds03 sshd[7055]: debug1: PAM: setting PAM_TTY to "ssh"
Nov* 6 04:09:35 ds03 sshd[7056]: debug1: userauth-request for user ahougham service ssh-connection method password
Nov* 6 04:09:35 ds03 sshd[7056]: debug1: attempt 1 failures 1
Nov* 6 04:09:35 ds03 sshd[7055]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.38.27* user=ahougham
Nov* 6 04:09:36 ds03 sshd[7055]: debug1: PAM: password authentication failed for an illegal user: Authentication failure
Nov* 6 04:09:36 ds03 sshd[7055]: Failed password for invalid user ahougham from 10.10.38.27 port 1480 ssh2

*

*

*

Thanks

*

Allan

*

*

*

sshd:

*

__________________________________________________ ______________________---

#****** $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.* See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.* Uncommented options change a
# default value.

Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
LoginGraceTime 1m
#PermitRootLogin yes
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
MaxAuthTries 6

AllowGroups root ref
AllowGroups Bids ref
AllowGroups Search ref
AllowGroups Question ref

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile***** .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables

#AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
#AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
#AcceptEnv LC_IDENTIFICATION LC_ALL

#AllowTcpForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem****** sftp*** /usr/libexec/openssh/sftp-server
__________________________________________________ ________________________

*

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth******* required***** pam_env.so
auth******* sufficient*** pam_unix.so nullok try_first_pass
auth******* requisite**** pam_succeed_if.so uid >= 500 quiet
auth******* sufficient*** pam_ldap.so use_first_pass
auth******* required***** pam_deny.so

account**** required***** pam_unix.so broken_shadow
account**** sufficient*** pam_localuser.so
account**** sufficient*** pam_succeed_if.so uid < 500 quiet
account**** [default=bad success=ok user_unknown=ignore] pam_ldap.so
account**** required***** pam_permit.so

password*** requisite**** pam_cracklib.so try_first_pass retry=3
password*** sufficient*** pam_unix.so md5 shadow nullok try_first_pass use_authtok
password*** sufficient*** pam_ldap.so use_authtok
password*** required***** pam_deny.so

session**** optional***** pam_keyinit.so revoke
session**** required***** pam_limits.so
session**** [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session**** required***** pam_unix.so
session**** optional***** pam_ldap.so


__________________________________________________ ___________________________

*

# Search timelimit
#timelimit 30
timelimit 120

# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX********* base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd****** ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd******* ou=People,dc=example,dc=com?one
#nss_base_shadow******* ou=People,dc=example,dc=com?one
#nss_base_group******** ou=Group,dc=example,dc=com?one
#nss_base_hosts******** ou=Hosts,dc=example,dc=com?one
#nss_base_services***** ou=Services,dc=example,dc=com?one
#nss_base_networks***** ou=Networks,dc=example,dc=com?one
#nss_base_protocols**** ou=Protocols,dc=example,dc=com?one
#nss_base_rpc********** ou=Rpc,dc=example,dc=com?one
#nss_base_ethers******* ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks***** ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams*** ou=Ethers,dc=example,dc=com?one
#nss_base_aliases****** ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup***** ou=Netgroup,dc=example,dc=com?one

# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute***** rfc2307attribute******* mapped_attribute
#nss_map_objectclass*** rfc2307objectclass***** mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.* The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
uri ldap://ds02.ml.com/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5


*

*

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-08-2010, 05:43 PM
"Morris, Patrick"
 
Default SSH AllowGroups and LDAP authentication

On 11/8/2010 8:56 AM, Allan Hougham wrote:

I need help with this issue, I setting sshd_config with
"AllowGroups" but I canīt authenticate with LDAP, the groups are
settings up,*this is my configuration:

Do you have any tutorial or guide for setting ssh authentication
groups with LDAP?

This is the mistake, but the user ahougham is in "Search Group"

*

[root@ds03 log]# tail -f secure

Nov* 6 04:09:33 ds03 sshd[7055]: User ahougham from 10.10.38.27
not allowed because none of user's groups are listed in
AllowGroups




Assuming your system is set up to use LDAP groups (usually via PAM,
so make sure SSH is configured to use PAM), you don't need to do
anything special to use AllowGroups.



What does "groups ahougham" show on that box? Is that user in an
allowed group?



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-09-2010, 12:36 PM
Allan Hougham
 
Default SSH AllowGroups and LDAP authentication

Hi Patrick,

*

What does "groups ahougham" show on that box? Is that user in an allowed group?


ahougham is*a user in "Search" group

*

I need anothe parameter or any adicional setting? do you have any tutorial with this configuration and what parameters I need in PAM file?

*

*

Thanks!

*

Allan
*



Date: Mon, 8 Nov 2010 10:43:15 -0800
From: patrick.morris@hp.com
To: 389-users@lists.fedoraproject.org
Subject: Re: [389-users] SSH AllowGroups and LDAP authentication


On 11/8/2010 8:56 AM, Allan Hougham wrote:


I need help with this issue, I setting sshd_config with "AllowGroups" but I canīt authenticate with LDAP, the groups are settings up,*this is my configuration:
Do you have any tutorial or guide for setting ssh authentication groups with LDAP?
This is the mistake, but the user ahougham is in "Search Group"
*
[root@ds03 log]# tail -f secure
Nov* 6 04:09:33 ds03 sshd[7055]: User ahougham from 10.10.38.27 not allowed because none of user's groups are listed in AllowGroups

Assuming your system is set up to use LDAP groups (usually via PAM, so make sure SSH is configured to use PAM), you don't need to do anything special to use AllowGroups.

What does "groups ahougham" show on that box? Is that user in an allowed group?

-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-09-2010, 04:50 PM
"Morris, Patrick"
 
Default SSH AllowGroups and LDAP authentication

On 11/9/2010 5:36 AM, Allan Hougham wrote:


Hi Patrick,

*

What does "groups ahougham" show on that box? Is that user in an
allowed group?



ahougham is*a user in "Search" group

*

I need anothe parameter or any adicional setting? do you have any
tutorial with this configuration and what parameters I need in PAM
file?




I'm not sure multiple "AllowGroups" directives are allowed.



From "man sshd_config":



**** AllowGroups

************ This keyword can be followed by a list of group name
patterns,

************ separated by spaces.



The way you have things set up, my guess is that it will only allow
access to the "Question" group, since that line appears last and
will probably overwrite all of the earlier ones.




*

*

Thanks!

*

Allan

*


Date: Mon, 8 Nov 2010 10:43:15 -0800

From: patrick.morris@hp.com

To: 389-users@lists.fedoraproject.org

Subject: Re: [389-users] SSH AllowGroups and LDAP authentication




On 11/8/2010 8:56 AM, Allan Hougham wrote:

I need help with this issue, I setting sshd_config with
"AllowGroups" but I canīt authenticate with LDAP, the groups are
settings up,*this is my configuration:

Do you have any tutorial or guide for setting ssh authentication
groups with LDAP?

This is the mistake, but the user ahougham is in "Search Group"

*

[root@ds03 log]# tail -f secure

Nov* 6 04:09:33 ds03 sshd[7055]: User ahougham from 10.10.38.27
not allowed because none of user's groups are listed in
AllowGroups




Assuming your system is set up to use LDAP groups (usually via
PAM, so make sure SSH is configured to use PAM), you don't need to
do anything special to use AllowGroups.



What does "groups ahougham" show on that box? Is that user in an
allowed group?



-- 389 users mailing list 389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-15-2010, 05:00 PM
Allan Hougham
 
Default SSH AllowGroups and LDAP authentication

Hi,

*

I need autenticate LDAPs Groups, but I canīt

Anybody can working with this feature? or mapping users with groups and later configuring the LDAP Client?

What are the steps for setting LDAP Clients with LDAP Groups?

*

Thanks a lot!

*

*

Allan


*



From: allanhougham@hotmail.com
To: 389-users@lists.fedoraproject.org
Date: Tue, 9 Nov 2010 13:36:21 +0000
Subject: Re: [389-users] SSH AllowGroups and LDAP authentication




Hi Patrick,
*
What does "groups ahougham" show on that box? Is that user in an allowed group?

ahougham is*a user in "Search" group
*
I need anothe parameter or any adicional setting? do you have any tutorial with this configuration and what parameters I need in PAM file?
*
*
Thanks!
*
Allan
*


Date: Mon, 8 Nov 2010 10:43:15 -0800
From: patrick.morris@hp.com
To: 389-users@lists.fedoraproject.org
Subject: Re: [389-users] SSH AllowGroups and LDAP authentication

On 11/8/2010 8:56 AM, Allan Hougham wrote:


I need help with this issue, I setting sshd_config with "AllowGroups" but I canīt authenticate with LDAP, the groups are settings up,*this is my configuration:
Do you have any tutorial or guide for setting ssh authentication groups with LDAP?
This is the mistake, but the user ahougham is in "Search Group"
*
[root@ds03 log]# tail -f secure
Nov* 6 04:09:33 ds03 sshd[7055]: User ahougham from 10.10.38.27 not allowed because none of user's groups are listed in AllowGroups

Assuming your system is set up to use LDAP groups (usually via PAM, so make sure SSH is configured to use PAM), you don't need to do anything special to use AllowGroups.

What does "groups ahougham" show on that box? Is that user in an allowed group?

-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-16-2010, 07:45 AM
Daniel Maher
 
Default SSH AllowGroups and LDAP authentication

On 11/15/2010 07:00 PM, Allan Hougham wrote:
> Hi,
>
> I need autenticate LDAPs Groups, but I canīt
> Anybody can working with this feature? or mapping users with groups and
> later configuring the LDAP Client?
> What are the steps for setting LDAP Clients with LDAP Groups?

Hello,

It must be stated that this is a PAM question, not an LDAP question.
The PAM mailing list is here :
https://listman.redhat.com/mailman/listinfo/pam-list

That said, we handle LDAP group authentication in PAM via the listfile
module - it may be interesting for your needs as well :
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_listfile.html


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-16-2010, 07:53 AM
Andrey Ivanov
 
Default SSH AllowGroups and LDAP authentication

Hi,

you can use pam_groupdn in /etc/ldap.conf to restrict the users having
access to a given workstation. Only the users who belong to a given
group will be able to log in, ex.:

pam_groupdn cn=Allowed Workstation Login in bld
14,ou=Somewhere,dc=example,dc=com


@+


2010/11/15 Allan Hougham <allanhougham@hotmail.com>:
> Hi,
>
> I need autenticate LDAPs Groups, but I canīt
> Anybody can working with this feature? or mapping users with groups and
> later configuring the LDAP Client?
> What are the steps for setting LDAP Clients with LDAP Groups?
>
> Thanks a lot!
>
>
> Allan
>
>
> ________________________________
> From: allanhougham@hotmail.com
> To: 389-users@lists.fedoraproject.org
> Date: Tue, 9 Nov 2010 13:36:21 +0000
> Subject: Re: [389-users] SSH AllowGroups and LDAP authentication
>
> Hi Patrick,
>
> What does "groups ahougham" show on that box? Is that user in an allowed
> group?
>
> ahougham is*a user in "Search" group
>
> I need anothe parameter or any adicional setting? do you have any tutorial
> with this configuration and what parameters I need in PAM file?
>
>
> Thanks!
>
> Allan
>
> ________________________________
> Date: Mon, 8 Nov 2010 10:43:15 -0800
> From: patrick.morris@hp.com
> To: 389-users@lists.fedoraproject.org
> Subject: Re: [389-users] SSH AllowGroups and LDAP authentication
>
> On 11/8/2010 8:56 AM, Allan Hougham wrote:
>
> I need help with this issue, I setting sshd_config with "AllowGroups" but I
> canīt authenticate with LDAP, the groups are settings up,*this is my
> configuration:
> Do you have any tutorial or guide for setting ssh authentication groups with
> LDAP?
> This is the mistake, but the user ahougham is in "Search Group"
>
> [root@ds03 log]# tail -f secure
> Nov* 6 04:09:33 ds03 sshd[7055]: User ahougham from 10.10.38.27 not allowed
> because none of user's groups are listed in AllowGroups
>
> Assuming your system is set up to use LDAP groups (usually via PAM, so make
> sure SSH is configured to use PAM), you don't need to do anything special to
> use AllowGroups.
>
> What does "groups ahougham" show on that box? Is that user in an allowed
> group?
>
> -- 389 users mailing list 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
> -- 389 users mailing list 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-16-2010, 05:15 PM
"Morris, Patrick"
 
Default SSH AllowGroups and LDAP authentication

On 11/15/2010 10:00 AM, Allan Hougham wrote:


Hi,

*

I need autenticate LDAPs Groups, but I canīt

Anybody can working with this feature? or mapping users with
groups and later configuring the LDAP Client?

What are the steps for setting LDAP Clients with LDAP Groups?




Did you see my last reply on this? I'm pretty sure you'd specified
AllowGroups incorrectly in your SSH configuration.



Assuming you have your groups set up correctly and SSH is using PAM,
there is no difference between configuring SSH to use LDAP groups
and configuring it to use local ones.



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-17-2010, 07:08 PM
Allan Hougham
 
Default SSH AllowGroups and LDAP authentication

Hi Patrick,

*

This is my sshd_conf, and my groups:

*

AllowGroups root ref
AllowGroups Bids ref
AllowGroups Search ref

*

*

Thanks in advance

*

*

*

*

#****** $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.* See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.* Uncommented options change a
# default value.

Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
LoginGraceTime 1m
PermitRootLogin yes
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
MaxAuthTries 6

*

AllowGroups root ref
AllowGroups Bids ref
AllowGroups Search ref

*

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile***** .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables

#AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
#AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
#AcceptEnv LC_IDENTIFICATION LC_ALL

#AllowTcpForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem****** sftp*** /usr/libexec/openssh/sftp-server

*


*



Date: Tue, 16 Nov 2010 10:15:22 -0800
From: patrick.morris@hp.com
To: 389-users@lists.fedoraproject.org
Subject: Re: [389-users] SSH AllowGroups and LDAP authentication


On 11/15/2010 10:00 AM, Allan Hougham wrote:


Hi,
*
I need autenticate LDAPs Groups, but I canīt
Anybody can working with this feature? or mapping users with groups and later configuring the LDAP Client?
What are the steps for setting LDAP Clients with LDAP Groups?

Did you see my last reply on this? I'm pretty sure you'd specified AllowGroups incorrectly in your SSH configuration.

Assuming you have your groups set up correctly and SSH is using PAM, there is no difference between configuring SSH to use LDAP groups and configuring it to use local ones.

-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-17-2010, 07:22 PM
"Morris, Patrick"
 
Default SSH AllowGroups and LDAP authentication

Again, try listing them all on one line.* SSH is probably only
looking at one of them.



From man sshd_config:



AllowGroups



This keyword can be followed by a list of group name patterns,

separated by spaces.





On 11/17/2010 12:08 PM, Allan Hougham wrote:


Hi Patrick,

*

This is my sshd_conf, and my groups:

*

AllowGroups root ref

AllowGroups Bids ref

AllowGroups Search ref

*

*

Thanks in advance

*

*

*

*

#****** $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp
$

# This is the sshd server system-wide configuration file.* See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped
with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.* Uncommented options change
a

# default value.

Port 22

#Protocol 2,1

Protocol 2

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m

LoginGraceTime 1m

PermitRootLogin yes

#PermitRootLogin no

#StrictModes yes

#MaxAuthTries 6

MaxAuthTries 6

*

AllowGroups root ref

AllowGroups Bids ref

AllowGroups Search ref

*

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile***** .ssh/authorized_keys

# For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

PermitEmptyPasswords no

PasswordAuthentication yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account
processing,

# and session processing. If this is enabled, PAM authentication
will

# be allowed through the ChallengeResponseAuthentication
mechanism.

# Depending on your PAM configuration, this may bypass the setting
of

# PasswordAuthentication, PermitEmptyPasswords, and

# "PermitRootLogin without-password". If you just want the PAM
account and

# session checks to run without PAM authentication, then enable
this but set

# ChallengeResponseAuthentication=no

#UsePAM no

UsePAM yes

# Accept locale-related environment variables

#AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES

#AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

#AcceptEnv LC_IDENTIFICATION LC_ALL

#AllowTcpForwarding yes

AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#ShowPatchLevel no

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem****** sftp*** /usr/libexec/openssh/sftp-server

*



*


Date: Tue, 16 Nov 2010 10:15:22 -0800

From: patrick.morris@hp.com

To: 389-users@lists.fedoraproject.org

Subject: Re: [389-users] SSH AllowGroups and LDAP authentication




On 11/15/2010 10:00 AM, Allan Hougham wrote:

Hi,

*

I need autenticate LDAPs Groups, but I canīt

Anybody can working with this feature? or mapping users with
groups and later configuring the LDAP Client?

What are the steps for setting LDAP Clients with LDAP Groups?




Did you see my last reply on this? I'm pretty sure you'd specified
AllowGroups incorrectly in your SSH configuration.



Assuming you have your groups set up correctly and SSH is using
PAM, there is no difference between configuring SSH to use LDAP
groups and configuring it to use local ones.



-- 389 users mailing list 389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 07:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright Đ2007 - 2008, www.linux-archive.org