Força OpenSSH / pam / pam_ldapd a fazer pam_ldapd (sshd: auth) com autenticação de chave pública

2

Eu tenho autenticação de trabalho pam_ldap usando libpam_ldapd. Estou usando o slapo-nssov e quero usar o atributo loginStatus que é adicionado à entrada ldap dos usuários após a abertura da sessão pam e excluído quando está fechado. Ele funciona apenas com autenticação de senha ssh. Eu acho que há algo ignorado no pam quando eu uso a chave pública em vez da senha - não há pam_ldap(sshd:auth) nslcd authentication; user=user registro no auth.log e nssov não tem informações sobre o usuário e seu DN para atualizar a sessão. Essa é provavelmente a razão pela qual o atributo loginStatus não é adicionado para a entrada do usuário ldap. Existe alguma chance de forçar o pam a fazer o sshd: auth quando a autenticação de chave pública é usada?

Conexão ssh bem-sucedida pela senha do usuário:

Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): nslcd authentication; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): authentication succeeded
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): authorization succeeded
Apr  8 10:41:57 host sshd[14511]: Accepted password for jindraj from 10.255.0.5 port 60889 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr  8 10:41:57 host sshd[14511]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:57 host sshd[14511]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): session open succeeded; session_id=1428482517
Apr  8 10:41:57 host login[14524]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:account): authorization succeeded
Apr  8 10:41:57 host login[14524]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer

slapd.log grepped para nssov_pam quando logado em ssh usando senha:

Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_authc(jindraj)
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_authz(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_authz()
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()
Apr  8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()

Conexão ssh bem-sucedida por usuários de chave pública

Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): authorization succeeded
Apr  8 10:41:32 host sshd[14389]: Accepted publickey for jindraj from 10.255.0.5 port 60888 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:32 host sshd[14389]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr  8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): SELinux is not enabled
Apr  8 10:41:32 host login[14420]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:account): authorization succeeded
Apr  8 10:41:32 host login[14420]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr  8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer

slapd.log grepped para nssov_pam quando logado em ssh usando publickey:

Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr  8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()

Aqui está o meu perfil auth-client-config. Ele deve fornecer informações sobre como é a configuração do meu nsswitch e pam:

[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files
nss_netgroup=netgroup: nis
nss_hosts=hosts: files cache dns
nss_services=services: files ldap
nss_sudoers=sudoers: files ldap
pam_auth=auth   required    pam_env.so
         auth   sufficient  pam_unix.so likeauth nullok
         auth   sufficient  pam_ldap.so minimum_uid=10000 use_first_pass debug
         auth   required    pam_deny.so
pam_account=account sufficient  pam_unix.so
            account sufficient  pam_ldap.so minimum_uid=10000 debug
            account required    pam_deny.so
pam_password=password   sufficient  pam_unix.so nullok md5 shadow use_authtok
             password   sufficient  pam_ldap.so minimum_uid=10000 try_first_pass debug
             password   required    pam_deny.so
pam_session=session required    pam_limits.so
            session required    pam_unix.so
            session sufficient  pam_ldap.so use_authtok debug
            session required    pam_mkhomedir.so skel=/etc/skel umask=0022

Meu ambiente:

  • Ubuntu 14.04 LTS
  • OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 de janeiro de 2014
  • libpam_ldapd 0.8.13-3
  • libnss_ldapd 0.8.13-3
  • openldap 2.4.31 com nssov
por Jakub Jindra 08.04.2015 / 14:42

0 respostas