问题概述

tag-icon tag-icon ssh ldap authentication solaris pam-ldap
问题概述

问题概述

Solaris 11 已配置为使用pam_ldap使用 LDAP v3 兼容目录服务器对用户进行身份验证。Solaris 主机仅配置为使用 LDAP 进行身份验证;它未配置为使用 LDAP 作为命名服务。

当有效用户尝试通过 ssh 连接到 Solaris 主机时,pam_ldap 模块会向 LDAP 服务器提交 BIND 请求并获得成功响应。但是,Solaris 仍然拒绝该用户访问。

要解决的问题:如何完成我的 PAM 配置以允许用户使用他们的 LDAP 身份通过 ssh 向 Solaris 主机进行身份验证?

该用户是主机(在 /etc/passwd 和 /etc/shadow 文件中)和 LDAP 上都存在的有效用户。该帐户未在 LDAP 上锁定,并且用户可以正确验证(绑定)到 LDAP:

$ldapsearch -h <REMOVED> -p 389 -b ou=people,o=som,dc=com -D "uid=testuser,ou=people,o=som,dc=com" -W uid=testuser LDAP Password:

dn: uid=testuser,ou=People,o=som,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowInactive: 7
loginShell: /bin/bash
uidNumber: 1176
homeDirectory: /home/testuser
gecos: Test User
gidnumber: 501
shadowmax: 91
shadowmin: 7
shadowwarning: 28
userpassword:: <REMOVED>
shadowflag: 22352
shadowlastchange: 16115

调试信息

从 LDAP 服务器,您可以看到用户已成功验证:

Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.324-5:00--Success
    base: ou=people,o=som,dc=com
    scope: singleLevel
    derefAliases: derefAlways
    typesOnly: false
    filter: (&(objectclass=SOLARISUSERATTR)(uid=testuser))
    attributes: uid, SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue
    numberOfEntriesReturned: 0
    AuditV3--2014-02-17-10:53:02.332-5:00--V3 Bind--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received:     2014-02-17-10:53:02.332-5:00--Success
    name: cn=proxyAgent,ou=Profile,o=som,dc=com
    authenticationChoice: simple

Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:22262--connectionID: 103359--received: 2014-02-17-10:53:02.333-5:00--Success
    base: ou=people,o=som,dc=com
    scope: singleLevel
    derefAliases: derefAlways
    typesOnly: false
    filter: (&(objectclass=POSIXACCOUNT)(uid=testuser))
    numberOfEntriesReturned: 1

**Bind--bindDN: uid=testuser,ou=People,o=som,dc=com--client: <REMOVED>:12241--connectionID: 103360--received: 2014-02-17-10:53:02.335-5:00--Success
    name: uid=testuser,ou=People,o=som,dc=com
    authenticationChoice: simple**

Search--bindDN: cn=proxyAgent,ou=Profile,o=som,dc=com--client: <REMOVED>:59874--connectionID: 88496--received: 2014-02-17-10:53:02.985-5:00--Success
    base: ou=people,o=som,dc=com
    scope: singleLevel
    derefAliases: derefAlways
    typesOnly: false
    filter: (&(objectclass=POSIXACCOUNT)(uidnumber=10011))
    attributes: cn, uid, uidNumber, gidNumber, gecos, description, homeDirectory, loginShell
    numberOfEntriesReturned: 1

登录 Solaris 主机客户端后,显示 PAM LDAP 模块已提交用户凭据。然而,虽然 LDAP 服务器返回 BIND 操作成功,但 Solaris 报告身份验证失败。注意 sshd-kbdinit 的使用

 [auth.info] reprocess config line 160: ignoring RhostsRSAAuthentication option value. SSHv1     protocol is no longer supported in the server, please remove the option.
 [auth.info] reprocess config line 167: ignoring RSAAuthentication option value. SSHv1 protocol is no longer supported in the server, please remove the option.
 [auth.notice] Failed none for test user from <REMOVED> port 54650 ssh2
 [auth.debug] ldap pam_sm_authenticate(sshd-kbdint testuser), flags = 1 
 [auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
 [auth.notice] Failed keyboard-interactive for test user from <REMOVED> port 54650 ssh2
 [auth.info] Connection closed by <REMOVED>

配置详细信息

Solaris 主机客户机

/etc/ssh/sshd_config

Protocol 2
Port 22
ListenAddress ::
AllowTcpForwarding no
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
MaxStartups 30:60:120
Banner /etc/issue
PrintMotd no
KeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 60
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries    3
MaxAuthTriesLog 0
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem       sftp    /usr/lib/ssh/sftp-server
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
KbdInteractiveAuthentication yes

ldap客户端利用来自服务器的 ldapclient 配置文件。

$ldapclient list

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyAgent,ou=Profile,o=som,dc=com
NS_LDAP_BINDPASSWD= <REMOVED>
NS_LDAP_SERVERS= HOST1-IP:389, HOST2-IP:389
NS_LDAP_SEARCH_BASEDN= o=som,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SERVER_PREF= HOST1:389, HOST2:389
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,o=som,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=people,o=som,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,o=som,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
NS_LDAP_ENABLE_SHADOW_UPDATE= TRUE

配置文件pam.d/服务

/etc/pam.conf (仅显示相关部分)

login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth binding            pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1 debug
login   auth required           pam_dial_auth.so.1

other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth binding            pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1 debug

/etc/pam.d/登录 (仅显示相关部分)

auth requisite          pam_authtok_get.so.1
auth required           pam_dhkeys.so.1
auth required           pam_unix_cred.so.1
auth binding            pam_unix_auth.so.1 server_policy
auth required           pam_ldap.so.1 debug
auth required           pam_dial_auth.so.1

/etc/pam.d/其他 (仅显示相关部分)

auth requisite          pam_authtok_get.so.1
auth required           pam_dhkeys.so.1
auth required           pam_unix_cred.so.1
auth binding            pam_unix_auth.so.1 server_policy
auth required           pam_ldap.so.1 debug

nsswitch.conf (使用 svccfg 修改了 nsswitch.conf,从而产生了以下 nsswitch.conf 文件)

passwd: files ldap
group:  files ldap
hosts:  files [SUCCESS=return] dns
ipnodes:        files [SUCCESS=return] dns
networks:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
bootparams:     files
publickey:      files
netgroup:       files
automount:      files
aliases:        files
services:       files
printers:       user files
project:        files
auth_attr:      files
prof_attr:      files
tnrhtp: files
tnrhdb: files
sudoers:        files

LDAP 服务器

此主机充当 Tivoli Directory Server v 6.3 (ITDS) 的客户端。假设已进行所有适当的架构修改。(我已将所有必要的 RFC2307bis、NIS 和 Solaris 架构元素添加到 ITDS。)

答案1

事实证明,问题出在/etc/pam.conf和 **/etc/pam.d/*文件。

通过将文件中 pam_unix_auth.so.1 行中的所有“binding”实例替换为“sufficient”,身份验证现在就可以正常工作。例如:

login   auth binding            pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1 debug

应该成为

login   auth sufficient         pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1 debug

无论您想在何处使用 LDAP 身份验证,请务必执行此操作。

相关内容