nltommynl Absent Member.
Absent Member.
1740 views

AAF - Linux PAM module for SSH

Hello,

I was wondering if someone is willing to share his pam configuration file which works with the naaf pam client and ssh. Because mine isn't.

What I did so far:

1. Clean CentOS 7.3 install (CentOS Linux release 7.3.1611)
2. Joined AD
3. Installed and configured naaf linux pam client (naaf-linuxpamclient-centos-release-5.4.8.rpm)

Normal login works fine, but logins thru ssh will fail.

ssh administrator@10.0.1.115
administrator@10.0.1.115's password:
Authentication failed.

/var/log/message:

May 21 21:58:46 vm4 kernel: sshd[2564]: segfault at 0 ip 00007f9464520586 sp 00007ffce6d34c48 error 4 in libc-2.17.so[7f94643ed000+1b6000]

/etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth [success=done ignore=ignore default=die] /opt/pam_aucore/lib/pam_aucore.so

auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
0 Likes
2 Replies
AutomaticReply Absent Member.
Absent Member.

Re: AAF - Linux PAM module for SSH

nltommynl,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: AAF - Linux PAM module for SSH

nltommynl;2457924 wrote:
Hello,

I was wondering if someone is willing to share his pam configuration file which works with the naaf pam client and ssh. Because mine isn't.

What I did so far:

1. Clean CentOS 7.3 install (CentOS Linux release 7.3.1611)
2. Joined AD
3. Installed and configured naaf linux pam client (naaf-linuxpamclient-centos-release-5.4.8.rpm)

Normal login works fine, but logins thru ssh will fail.

ssh administrator@10.0.1.115
administrator@10.0.1.115's password:
Authentication failed.

/var/log/message:

May 21 21:58:46 vm4 kernel: sshd[2564]: segfault at 0 ip 00007f9464520586 sp 00007ffce6d34c48 error 4 in libc-2.17.so[7f94643ed000+1b6000]

/etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth [success=done ignore=ignore default=die] /opt/pam_aucore/lib/pam_aucore.so

auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so




Can you please post your ssh config: /etc/ssh/sshd_config
and check openssl version installed?
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.