Forum Stats

  • 3,727,087 Users
  • 2,245,319 Discussions
  • 7,852,581 Comments

Discussions

How can I do ssh (with pubkey on the same machine) in Solaris 10 connected to LDAP

Stickos
Stickos Member Posts: 7

Hi community ! :)

First, I wish you a happy new year !

I have a question about Solaris 10 (I know it is an ooooold system)

So, I have connected a LDAP (OpenLDAP, LDAPv3) to my Solaris 10.

Authentication with LDAP is good (cf sshd_config) and I think my pam.conf is good too (cf pam.conf) because I managed to connect with LDAP users. However, we have allowed access to some users to other users throught a ssh key on the same machine (cf example).

Unfortunately, in this situation I cannot connect to this user.

Example on server A:

Ssh-keygen –t rsa

Copy/paste my pubkey on /home/user2/.ssh/authorized_keys

With my user1 :

Ssh –X [email protected]

Connection closed by 127.0.0.1  :(

Someone have an idea ?

Regards

Adrien

Answers

  • Stickos
    Stickos Member Posts: 7

    I add verbose after my ssh -vvv -X [email protected]

    Regards

    Adrien

  • Nik
    Nik Member Posts: 2,746 Bronze Crown

    Hi.

    According log - ssh-server accept this key.

    debug2: we sent a publickey packet, wait for reply
    debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 6cc00 hint 1
    debug2: input_userauth_pk_ok: fp ce:cb:ef:3b:80:1b:03:c1:3d:fd:73:e0:f1:b3:7e:81
    debug1: read PEM private key done: type RSA
    Connection closed by 127.0.0.1
    

    Try temporary move  /home/user1/.ssh/id_rsa to other loction. Can user1 login as user2 via password?

    Regards,

    Nik

  • Stickos
    Stickos Member Posts: 7

    Hi Nick,

    Thanks for reply.

    I already try to move /home/user1/.ssh/id_rsa to other location but I have the same issue.

    "Can user1 login as user2 via password?" I have no password set for user2 in my LDAP so, I just want to connect to him only with sshkey.

    Regards

    Adrien

  • Nik
    Nik Member Posts: 2,746 Bronze Crown

    Hi.

    As You not set user password in LDAP - it's mean that user have empty password, but sshd_config not allow this users:

    PermitEmptyPasswords no

    Try set some password for this user.


    Regards,

    Nik

  • Stickos
    Stickos Member Posts: 7

    Hi,

    It's more tricky for my need. I don't have a password field in my LDAP and I don't want one for this user because putting a password to a user (which is special) is considered a security breach if the password is cracked. I would only like to log in with a public key.

    I have already tried changing the PermitEmptyPassword to yes or no but it didn't work. :(

    Regards

    Adrien

  • Nik
    Nik Member Posts: 2,746 Bronze Crown

    Hi.

    Try check system logs for find reason of session disconnect.

    You can also use truss for sshd for check what it do.

    What shell configured for user2 ?

    Also is not clear what reason for this configuration. ( Login on same machine under user that can not setup password).

    pam_unix_account.so.1 - will check that user password is not expired, not require change etc. I not sure that this can work without password.


    Regards,

    Nik

  • Stickos
    Stickos Member Posts: 7

    Nik,

    Thanks again for your help.

    Shell for user2: /bin/bash

    Shell for user1: /bin/bash

    "Also is not clear what reason for this configuration. ( Login on same machine under user that can not setup password)."

    => Because I want to connect with my user1 on my machine (user1 is a ldap user with a password) and do ssh -X [email protected] in order to keep user2 environment (.Xauthory / .login for example) but I want to connect to user2 only on this machine and only by sshkey (I know it is a really strange configuration but it is that we need... :/ )

    "pam_unix_account.so.1 - will check that user password is not expired, not require change etc. I not sure that this can work without password." but it is necessary for my user1 right ?

    Regards

    Adrien

  • Nik
    Nik Member Posts: 2,746 Bronze Crown
    edited January 20

    Adrien,

    You try apply on same system different auth rules for different users.

    It's impossible on standard modules (IMHO), because You should have capabilities specify which rules apply for which users.

    Look on command sudo. This command not bundled with solaris 10.

    Regards,

    Nik

  • Stickos
    Stickos Member Posts: 7

    Nik,

    I don't understand why this is not possible :(

    For example, on other distributions I was able to do these manipulations and it works with public keys. I'm no longer thinking of a very specific sshd or pam configuration but I can't find the information.

    Do you have any other ideas?

    Context:

    In LDAP:

    user1 with password field (so with password set)

    user2 without password field (so without password but not blank/empty)

    In Solaris:

    user1's pubkey in user2's authorized_key (with correct chmod for these users)

    ssh [email protected]

    password: <user1's password>

    bash3.2: pwd

    bash3.2: /home/user1

    bash3.2: ssh -X [email protected]

    Connection closed 127.0.0.1

    Regards

    Adrien

  • Nik
    Nik Member Posts: 2,746 Bronze Crown

    You should check sshd logs (may be configure it) or truss sshd for check what pam module or other reason cause ssh disconnect.

  • Stickos
    Stickos Member Posts: 7

    Hi !

    After few hours, after few days, after few weeks... we did it !!

    It is possible to link LDAP with users with/without password ! It is possible to put a ssh key in user1 and ssh user[email protected] !

    We have to modify pam.conf like: "login  auth sufficient    pam_unix_auth.so.1"

    "Sufficient" was the keyword for all service ! (login, rlogin, ppp, other....) for "pam_unix_auth.so.1" parameters !

    That was so huge !


    #

    # Authentication management

    #

    # login service (explicit because of pam_dial_auth)

    #

    login  auth requisite    pam_authtok_get.so.1

    login  auth required    pam_dhkeys.so.1

    login  auth required    pam_dial_auth.so.1

    login  auth required    pam_unix_cred.so.1

    login  auth sufficient    pam_unix_auth.so.1

    login  auth required    pam_ldap.so.1

    #

    # rlogin service (explicit because of pam_rhost_auth)

    #

    rlogin  auth sufficient    pam_rhosts_auth.so.1

    rlogin  auth requisite    pam_authtok_get.so.1

    rlogin  auth required    pam_dhkeys.so.1

    rlogin  auth required    pam_unix_cred.so.1

    rlogin  auth sufficient    pam_unix_auth.so.1

    rlogin  auth required    pam_ldap.so.1

    #

    # rsh service (explicit because of pam_rhost_auth,

    # and pam_unix_auth for meaningful pam_setcred)

    #

    rsh  auth sufficient    pam_rhosts_auth.so.1

    rsh  auth required    pam_unix_cred.so.1

    #

    # PPP service (explicit because of pam_dial_auth)

    #

    ppp  auth requisite    pam_authtok_get.so.1

    ppp  auth required    pam_dhkeys.so.1

    ppp  auth required    pam_dial_auth.so.1

    ppp  auth sufficient    pam_unix_auth.so.1

    ppp  auth required    pam_ldap.so.1

    #

    # Default definitions for Authentication management

    # Used when service name is not explicitly mentioned for authentication

    #

    other  auth requisite    pam_authtok_get.so.1

    other  auth required    pam_dhkeys.so.1

    other  auth required    pam_unix_cred.so.1

    other  auth sufficient    pam_unix_auth.so.1

    other  auth required    pam_ldap.so.1

    #

    # passwd command (explicit because of a different authentication module)

    #

    passwd  auth sufficient    pam_passwd_auth.so.1

    passwd  auth required    pam_ldap.so.1

    #

    # cron service (explicit because of non-usage of pam_roles.so.1)

    #

    cron  account required  pam_unix_account.so.1

    #

    # Default definition for Account management

    # Used when service name is not explicitly mentioned for account management

    #

    other  account requisite  pam_roles.so.1

    other  account required  pam_unix_account.so.1

    #

    # Default definition for Session management

    # Used when service name is not explicitly mentioned for session management

    #

    other  session required  pam_unix_session.so.1

    #

    # Default definition for Password management

    # Used when service name is not explicitly mentioned for password management

    #

    other  password required  pam_dhkeys.so.1

    other  password requisite  pam_authtok_get.so.1

    other  password requisite  pam_authtok_check.so.1

    other  password required  pam_authtok_store.so.1

    #

    # Support for Kerberos V5 authentication and example configurations can

    # be found in the pam_krb5(5) man page under the "EXAMPLES" section.

    #

    Hope that help another people !

    Regards

    Adrien

Sign In or Register to comment.