.png)
我使用 libpam_ldapd 进行 pam_ldap 身份验证。我正在使用 slapo-nssov 并希望使用 loginStatus 属性,该属性在打开 pam 会话后添加到用户 ldap 条目中,并在关闭时删除。它仅适用于 ssh 密码身份验证。我认为当我使用公钥而不是密码时,pam 中跳过了某些内容 - pam_ldap(sshd:auth) nslcd authentication; user=userauth.log 中没有记录,并且 nssov 没有有关用户及其 DN 的信息用于更新会话。这可能就是为什么没有为用户 ldap 条目添加 loginStatus 属性的原因。使用公钥身份验证时是否有机会强制 pam 执行 sshd:auth ?
通过用户密码ssh连接成功:
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): nslcd authentication; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): authentication succeeded
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): authorization succeeded
Apr 8 10:41:57 host sshd[14511]: Accepted password for jindraj from 10.255.0.5 port 60889 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr 8 10:41:57 host sshd[14511]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:57 host sshd[14511]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): session open succeeded; session_id=1428482517
Apr 8 10:41:57 host login[14524]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:account): authorization succeeded
Apr 8 10:41:57 host login[14524]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
使用密码登录 ssh 时,slapd.log 会查找 nssov_pam:
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authc(jindraj)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authz(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()
用户公钥成功 ssh 连接
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): authorization succeeded
Apr 8 10:41:32 host sshd[14389]: Accepted publickey for jindraj from 10.255.0.5 port 60888 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:32 host sshd[14389]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): SELinux is not enabled
Apr 8 10:41:32 host login[14420]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:account): authorization succeeded
Apr 8 10:41:32 host login[14420]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
使用公钥登录 ssh 时,slapd.log 会查找 nssov_pam:
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
这是我的 auth-client-config 配置文件。它应该让您了解我的 nsswitch 和 pam 配置如何:
[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files
nss_netgroup=netgroup: nis
nss_hosts=hosts: files cache dns
nss_services=services: files ldap
nss_sudoers=sudoers: files ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so minimum_uid=10000 use_first_pass debug
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so minimum_uid=10000 debug
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so minimum_uid=10000 try_first_pass debug
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_unix.so
session sufficient pam_ldap.so use_authtok debug
session required pam_mkhomedir.so skel=/etc/skel umask=0022
我的环境:
- Ubuntu 14.04 LTS
- OpenSSH_6.6.1p1 Ubuntu-2ubuntu2、OpenSSL 1.0.1f 2014 年 1 月 6 日
- libpam_ldapd 0.8.13-3
- libnss_ldapd 0.8.13-3
- openldap 2.4.31 与 nssov