Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3
2009-02-14 03:55
267 查看
(Seealsorelateddocumentsathttp://web.singnet.com.sg/~garyttt/)
Thedocumentisoneofthedeliverablesofthe“OpenLDAPCentralizedAuthenticationProject”,thereadermayalsorefertoitssisterdocumentstitled“InstallingandconfiguringOpenLDAPforRedHatEnterpriseLinux3”
ThisdocumentdescribesthestepsinvolvedininstallingandconfiguringanOpenSSHServer,whichisalsoanOpenLDAPClient,withpam_ldapsupportonRedHatEnterpriseLinux3.ThisistobeaccessedbyWindows/UNIX/LinuxOpenSSHclients.
Anotherrelateddocument"DeployingOpenLDAPClientbyusingautomatedscripts",describesthestepsinvolvedinbuildingupaninfrastructureenvironmentforrapiddeploymentofOpenLDAPClient.
NOTE:AllthestepsherearealsoapplicabletoRedHatFedoraCore1/2andRedHatLinux9,aswellasRHEL4/RHFC3.
UsefulURLs:
·SUN’s“SystemAdministrationGuide:SecurityServices-May2002”(couldbefoundathttp://docs.sun.com)
·OpenSSH:http://www.openssh.org/
·OpenSSHLPK(LDAPPublicKey)patch:http://www.opendarwin.org/en/projects/openssh-lpk
·OpenSSL:http://www.openssl.org/
·PAM:http://www.kernel.org/pub/linux/libs/pam/
·PAM_LDAPandNSS_LDAP:http://www.padl.com
Exampleused:
·NSS_LDAPandPAM_LDAPlibrarypath:/liband/lib/securityrespectively
·OpenSSLinstalldirectory=/usr
·OpenLDAPinstalldirectory=/usr
ObservedIssues:
·PuTTYSSHProtocol1ClientDOESNOTWORK
·"su–uid"“incorrectpassword”despitecorrectpasswordentry,Ihavefoundafix,see“Tips”underStep7,this“tips”isnotrequiredonRHEL4/RHFC3Client.
IMPORTANT:ItishighlyrecommendedthattheseconfigurationstepsbecarriedupattheLOCALSYSTEMCONSOLEwhilelogginginasroot,ONTOPOFTHIS,MULTIPLEREMOTErootsessionsshouldbeopened.Incaseofanyincorrectconfigurationthatmessesupyoursystem,itcanberepaired.
ForRedHatLinuxsystems,whenever"su–user"or"su–root"issueoccurs,andyoudon'tintendtocontinuetroubleshooting,attheseLOCALorREMOTErootsessions,issuethecommand"authconfig”andrestorebacktheoriginalRedHatLinuxAuthenticationscheme(itwillgeneratetheoriginal/etc/pam.d/system-authfile,pressCtrl-Cifthescreenappearsfreezed).
Loginas‘root’attheconsoleofLDAPClient.
IMPORTANTNOTE:Youmustconfigure/installOpenLDAPpriortonss_ldap,ifnotthe"configure"commandshownbelowwillcomplainabout"LDAPLibrarynotfound"asthetypeofLDAPisdefinedas"openldap".
Buildnss_ldapfromsource:
#cd/var/tmp
#tarxvfnss_ldap.tar
#cdnss_ldap-2XX
#./configure--libdir=/lib--with-ldap-lib=openldap--with-ldap-dir=/usr--with-ldap-conf-file=/etc/ldap.conf--with-ldap-secret-file=/etc/ldap.secret
#makeclean
#make
#makeinstall
IMPORTANTNOTE:Youmustconfigure/installnss_ldappriortopam_ldapasitwillpopulate/usr/local/includewithheaderfilesthatpam_ldaprequires,dependingonwhichversionofLDAPyouareusing,example:ldap.h,thisfileisLDAPversiondependant,thiswillavoidpam_ldap"configure"error"couldnotlocate<ldap.h>".
Buildpam_ldapfromsource,useEXACTLYthesameconfigurationoptions:
#cd/var/tmp
#tarxvfpam_ldap.tar
#cdpam_ldap-1XX
#./configure--libdir=/lib--with-ldap-lib=openldap--with-ldap-dir=/usr--with-ldap-conf-file=/etc/ldap.conf--with-ldap-secret-file=/etc/ldap.secret
#makeclean
#make
#makeinstall
#cd/var/tmp
#tarxvfopenssl-0.9.7e.tar
#cdopenssl-0.9.7e
#./configshared--prefix=/usr
#makeclean
#make
#makeinstall
Additionalstepsshownbelowarerequiredtorenameandhideopenssl-0.9.7aoriginalfiles(duetothefactthatRedHatstoreslibsslandlibcryptosharedobjectfilesatoddlocation,i.e./lib).
#cd/lib
#mv-flibssl.so.4libssl.so.4.orig
#ln-s/usr/lib/libssl.so.0.9.7libssl.so.4
#mv-flibcrypto.so.4libcrypto.so.4.orig
#ln-s/usr/lib/libcrypto.so.0.9.7libcrypto.so.4
OpenSSL>version
OpenSSL0.9.7eDDMMMYYYY
OpenSSL>exit
#mkdir–p/etc/ssh.orig
#cp/etc/ssh/*/etc/ssh.orig
NowconfigureOpenSSHwithsupportforPAMandOpenSSL
NOTE:RedHatOpenSSHusuallystoreshostkeysin/etc/ssh
#cd/var/tmp
#tarxvfopenssh-3.X.XpX.tar
#cdopenssh-3.X.XpX
#./configure--prefix=/usr--with-pam--sysconfdir=/etc/ssh--with-ssl-dir=/usr
#make
#makeinstall
(IMPORTANTNote:having--sysconfdir=/etc/sshwillpreserveOpenSSHoriginal/etc/ssh/ssh_configand/etc/ssh/sshd_configaswellashostkeys,butastheoriginalsshd_configfileMAYNOTincludeNEWsettings,youMAYoverwritesshd_configwithasamplefromOpenSSHdistribution,withreferencestooriginalsettings)
#touch/etc/init.d/openssh.server;chmod744/etc/init.d/openssh.server
case$1in
'start')
/usr/sbin/sshd
;;
'stop')
PID=`cat/var/run/sshd.pid`
if[-n"$PID"]
then
/usr/bin/kill-9$PID
fi
;;
*)
echo"usage:/etc/init.d/sshd{start|stop}"
;;
esac
Copy(Overwrite)samplesshd_configandssh_configfromOpenSSH
#cp/var/tmp/openssh-3.X.XpX/sshd_config/etc/ssh
#cp/var/tmp/openssh-3.X.XpX/ssh_config/etc/ssh
Edit/etc/ssh/sshd_config,enablePasswordAuthentication,enableChallengeResponseAuthentication,enablePAMandverifypathforsftp-serverdoesexist
#vi/etc/ssh/sshd_config
PasswordAuthenticationyes
ChallengeResponseAuthenticationyes
UsePAMyes
Subsystemsftp/usr/libexec/sftp-server
#Warning:enablingthismaybypassthesettingof'PasswordAuthentication'
PAMAuthenticationViaKbdIntyes
#groupadd-g999sshd
#useradd-u999-g999–c“sshdprivilegeseparation”-d/var/empty-s/bin/falsesshd
Optionally,foranyreasonifthereisaneedtore-createthehostkeysforsshd,youmayperform:
/usr/bin/ssh-keygen-trsa1-f/etc/ssh/ssh_host_key-N""
/usr/bin/ssh-keygen-tdsa-f/etc/ssh/ssh_host_dsa_key-N""
/usr/bin/ssh-keygen-trsa-f/etc/ssh/ssh_host_rsa_key-N""
Optionally,youmaywanttofinetuneOpenSSHserverforittobemoresecure,i.e.useonlyProtocol2,disabledefaultPermitRootLogin,enableX11Forwarding,andsoon…belowisanexample:
#sed-e's/#Protocol2,1/Protocol2/'\
-e's/#PermitRootLoginyes/PermitRootLoginno/'\
-e's/#X11Forwardingno/X11Forwardingyes/'\
-e's/#PrintMotdyes/PrintMotdno/'\
/etc/ssh/sshd_config>/etc/ssh/sshd_config_new
#mv/etc/ssh/sshd_config_new/etc/ssh/sshd_config
That’sall,killexistingSSHServerandre-startOpenSSHServer
#/etc/init.d/sshdstop;/etc/init.d/openssh.serverstart
ORusetheRedHat'sway:
#servicesshdrestart
Createthesetwofiles.
Contentof/etc/ldap.conf,thoseingreenarerequiredentries.
#ListtwoormoreLDAPserversiffailoverisrequired
hostldap1.example.comldap2.example.com
#“host”directivemaybedeprecatedinfuturereleases,
#youmaywishtouse‘uri’directivetoreplace“host”directive
#urildap://ldap1.example.comldap://ldap2.example.com
basedc=example,dc=com
ldap_version3
binddncn=proxyagent,ou=profile,dc=example,dc=com
bindpwpassword
#Thedistinguishednametobindtotheserverwith
#iftheeffectiveuserIDisroot.Passwordis
#storedin/etc/ldap.secret(mode600)
rootbinddncn=Manager,dc=example,dc=com
port389
#Thesearchscope.
#scopesub
#scopeone
#scopebase
#Searchtimelimit
#timelimit30
#Bindtimelimit
#bind_timelimit30
#Idletimelimit;clientwillcloseconnections
#(nss_ldaponly)iftheserverhasnotbeencontacted
#forthenumberofsecondsspecifiedbelow.
#idle_timelimit3600
#FiltertoANDwithuid=%s
#pam_filterobjectclass=account
pam_filterobjectclass=posixAccount
#TheuserIDattribute(defaultstouid)
pam_login_attributeuid
#SearchtherootDSEforthepasswordpolicy(works
#withNetscapeDirectoryServer)
#pam_lookup_policyyes
#Checkthe'host'attributeforaccesscontrol
#Defaultisno;ifsettoyes,anduserhasno
#valueforthehostattribute,andpam_ldapis
#configuredforaccountmanagement(authorization)
#thentheuserwillnotbeallowedtologin.
#pam_check_host_attryes
#Grouptoenforcemembershipof
#pam_groupdncn=PAM,ou=Groups,dc=example,dc=com
#Groupmemberattribute
#pam_member_attributeuniquemember
pam_member_attributememberUid
#SpecifyaminiumormaximumUIDnumberallowed
#pam_min_uid0
#pam_max_uid0
#Templateloginattribute,defaulttemplateuser
#(canbeoverridenbyvalueofformerattribute
#inuser'sentry)
#pam_login_attributeuserPrincipalName
#pam_template_login_attributeuid
#pam_template_loginnobody
#HEADSUP:thepam_crypt,pam_nds_passwd,
#andpam_ad_passwdoptionsareno
#longersupported.
#Donothashthepasswordatall;presume
#thedirectoryserverwilldoit,if
#necessary.Thisisthedefault.
#pam_passwordclear
#Hashpasswordlocally;requiredforUniversityof
#MichiganLDAPserver,andworkswithNetscape
#DirectoryServerifyou'reusingtheUNIX-Crypt
#hashmechanismandnotusingtheNTSynchronization
#service.
pam_passwordcrypt
#Removeoldpasswordfirst,thenupdatein
#cleartext.NecessaryforusewithNovell
#DirectoryServices(NDS)
#pam_passwordnds
#UpdateActiveDirectorypassword,by
#creatingUnicodepasswordandupdating
#unicodePwdattribute.
#pam_passwordad
#UsetheOpenLDAPpasswordchange
#extendedoperationtoupdatethepassword.
#pam_passwordexop
#RedirectuserstoaURLorsomesuchonpassword
#changes.
#pam_password_prohibit_messagePleasevisithttp://internaltochangeyourpassword.
#RFC2307bisnamingcontexts
#Syntax:
#nss_base_XXXbase?scope?filter
#wherescopeis{base,one,sub}
#andfilterisafiltertobe&'dwiththe
#defaultfilter.
#Youcanomitthesuffixeg:
#nss_base_passwdou=People,
#toappendthedefaultbaseDNbutthis
#mayincurasmallperformanceimpact.
nss_base_passwdou=People,dc=example,dc=com?one
nss_base_shadowou=People,dc=example,dc=com?one
nss_base_groupou=group,dc=example,dc=com?one
#nss_base_hostsou=Hosts,dc=example,dc=com?one
#nss_base_servicesou=Services,dc=example,dc=com?one
#nss_base_networksou=Networks,dc=example,dc=com?one
#nss_base_protocolsou=Protocols,dc=example,dc=com?one
#nss_base_rpcou=Rpc,dc=example,dc=com?one
#nss_base_ethersou=Ethers,dc=example,dc=com?one
#nss_base_netmasksou=Networks,dc=example,dc=com?ne
#nss_base_bootparamsou=Ethers,dc=example,dc=com?one
#nss_base_aliasesou=Aliases,dc=example,dc=com?one
nss_base_netgroupou=netgroup,dc=example,dc=com?one
#attribute/objectclassmapping
#Syntax:
#nss_map_attributerfc2307attributemapped_attribute
#nss_map_objectclassrfc2307objectclassmapped_objectclass
#configure--enable-ndsisnolongersupported.
#ForNDSnowdo:
#nss_map_attributeuniqueMembermember
#configure--enable-mssfu-schemaisnolongersupported.
#ForMSSFUnowdo:
#nss_map_objectclassposixAccountUser
#nss_map_attributeuidmsSFUName
#nss_map_attributeuniqueMemberposixMember
#nss_map_attributeuserPasswordmsSFUPassword
#nss_map_attributehomeDirectorymsSFUHomeDirectory
#nss_map_objectclassposixGroupGroup
#pam_login_attributemsSFUName
#pam_filterobjectclass=User
#pam_passwordad
#configure--enable-authpasswordisnolongersupported
#ForauthPasswordsupport,nowdo:
#nss_map_attributeuserPasswordauthPassword
#pam_passwordnds
#ForIBMSecureWaysupport,do:
#nss_map_objectclassposixAccountaixAccount
#nss_map_attributeuiduserName
#nss_map_attributegidNumbergid
#nss_map_attributeuidNumberuid
#nss_map_attributeuserPasswordpasswordChar
#nss_map_objectclassposixGroupaixAccessGroup
#nss_map_attributecngroupName
#nss_map_attributeuniqueMembermember
#pam_login_attributeuserName
#pam_filterobjectclass=aixAccount
#pam_passwordclear
#NetscapeSDKLDAPS
#sslon
#NetscapeSDKSSLoptions
#sslpath/etc/ssl/certs/cert7.db
#OpenLDAPSSLmechanism
#start_tlsmechanismusesthenormalLDAPport,LDAPStypically636
sslstart_tls
#sslon
#OpenLDAPSSLoptions
#Requireandverifyservercertificate(yes/no)
#Defaultis"no"
tls_checkpeeryes
#CAcertificatesforservercertificateverification
#Atleastoneofthesearerequirediftls_checkpeeris"yes"
#tls_cacertfile/etc/ssl/ca.cert
#tls_cacertdir/etc/ssl/certs
#Un-commentforRedHat
tls_cacertfile/etc/openldap/cacert.pem
#Un-commentforOthers
#tls_cacertfile/usr/local/etc/openldap/cacert.pem
#SeedthePRNGif/dev/urandomisnotprovided
#tls_randfile/var/run/egd-pool
#SSLciphersuite
#Seemanciphersforsyntax
#tls_ciphersTLSv1
#Clientcertificateandkey
#Usethese,ifyourserverrequiresclientauthentication.
#tls_cert
#tls_key
Contentof/etc/openldap/ldap.conf
HOSTldap1.example.comldap2.example.com
#URIldap://ldap1.example.comldap://ldap2.example.com
BASEdc=example,dc=com
#Un-commentforRedHat
TLS_CACERT/etc/openldap/cacert.pem
#Un-commentforothers
#TLS_CACERT/usr/local/etc/openldap/cacert.pem
Note:ForRHEL4/RHFC3Client,running“authconfig”withTLSoptionselectedwillalwaysaddalinetouseCACERTDIRmethodtotheendof/etc/ldap.conf,sopleasecommentouttheCACERTFILEmethodin/etc/ldap.confandalso/etc/openldap/ldap.conf,asshown:
AfterthatyouGOTtogeneratetheX.509HASHwhichisasymboliclinktocacert.pem,youmayusethefollowingscripttohelpyou:
YoumustgeneratethisfileattheOpenLDAPServer,detailscouldbefoundin"InstallingandconfiguringOpenLDAPforRedHatEnterpriseLinux3",andcopyitovertoallLDAPclientsintoyourpreferredlocationreferencedbyBOTH/etc/ldap.confand/etc/openldap/ldap.conf.
Thefollowingisanexampleof/etc/openldap/cacert.pem.
-----BEGINCERTIFICATE-----
MIIEBjCCA2+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYD
VQQKEx1QTEFUVFMsIE1jR3Jhdy1IaWxsIENvbXBhbmllczEPMA0GA1UECxMGUExB
VFRTMSIwIAYDVQQDExluamhwbHBtb24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZI
hvcNAQkBFhNnYXJ5X3RheUBwbGF0dHMuY29tMB4XDTA0MDcwNjAyNTExNFoXDTE0
MDcwNDAyNTExNFowgbkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEW
MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTEmMCQGA1UEChMdUExBVFRTLCBNY0dyYXct
SGlsbCBDb21wYW5pZXMxDzANBgNVBAsTBlBMQVRUUzEiMCAGA1UEAxMZbmpocGxw
bW9uMS5wbGF0dHMubWhtLm1oYzEiMCAGCSqGSIb3DQEJARYTZ2FyeV90YXlAcGxh
dHRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0wqm6JKsUMIXRYyn
YRKDUYh//+57SJl+XSES7xz/TRO+rvfmnpZWFqHdMG6K5ruPVjQeusSQfNxuZT8T
aMOXpI0Upv2pvmGJyP88zxSN/kS6btDJHqKOrF3sp8P/BJOgDartHb2/gVcdHXYE
/QISDwMRJncE0kFOxhBJ/1U8I20CAwEAAaOCARowggEWMB0GA1UdDgQWBBQlvKCz
RfHlJXtG5ecwD0XrmLg2NzCB5gYDVR0jBIHeMIHbgBQlvKCzRfHlJXtG5ecwD0Xr
mLg2N6GBv6SBvDCBuTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRYw
FAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYDVQQKEx1QTEFUVFMsIE1jR3Jhdy1I
aWxsIENvbXBhbmllczEPMA0GA1UECxMGUExBVFRTMSIwIAYDVQQDExluamhwbHBt
b24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZIhvcNAQkBFhNnYXJ5X3RheUBwbGF0
dHMuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdra0I6Ei
Y+qgJyzBUM2ObxYAv26hDa+Vmk0VjVDxTBpjh1+4VM7ufWitClst3MZJy/ht/8Ui
4hBC6MtOdTnMb7YxJ6dCBHQ01WKs7pTPbYGuxAweSQQ/Jx3opmh55RyqFFs1/S4f
diTGRXhlVYaLsUP6FMCyvjXe3Tg68HBLyio=
-----ENDCERTIFICATE-----
Makeabackupcopyof/etc/pam.d/system-auth
#cp/etc/pam.d/system-auth/etc/pam.d/system-auth.orig
run"authconfig"togenerate/etc/pam.d/system-authforLDAPAuthentication,ifthereisanyissue,runauthconfigagaintorestorebacktheoriginalsystem-auth,orjustrestorefromthebackup.
UserInformationConfiguration:
[*]UseLDAP
[*]UseTLS
Server:ldap1.example.com,ldap2.example.com
BaseDN:dc=example,dc=com
AuthenticationConfiguration:
[*]UseLDAPAuthentication
[*]UseTLS
Server:ldap1.example.com,ldap2.example.com
BaseDN:dc=example,dc=com
Tips:ifthegeneratedsystem-authhasabugsuchthat"su–userid"willdisplay"incorrectpassword"evenwhencorrectpasswordisprovided,tofixit,replaceoneofthe"account"lines,asshownbelow:
#diff/etc/pam.d/system-auth/etc/pam.d/system-auth.ldapauth
9c9
<accountrequired/lib/security/$ISA/pam_unix.so
---
>accountsufficient/lib/security/$ISA/pam_unix.so
Contentof/etc/pam.d/system-auththatwillfix“su–incorrectpasswordissue”.
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequired/lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.solikeauthnullok
authsufficient/lib/security/$ISA/pam_ldap.souse_first_pass
authrequired/lib/security/$ISA/pam_deny.so
accountsufficient/lib/security/$ISA/pam_unix.so
account[default=badsuccess=okuser_unknown=ignoreservice_err=ignoresystem_err=ignore]/lib/security/$ISA/pam_ldap.so
passwordrequired/lib/security/$ISA/pam_cracklib.soretry=3type=
passwordsufficient/lib/security/$ISA/pam_unix.sonullokuse_authtokmd5shadow
passwordsufficient/lib/security/$ISA/pam_ldap.souse_authtok
passwordrequired/lib/security/$ISA/pam_deny.so
#Un-commentthenextlineifyouwantpam_mkhomedir.sotomkdir$HOMEonthefly
#sessionsufficientpam_mkhomedir.soskel=/etc/skel/umask=0022
sessionrequired/lib/security/$ISA/pam_limits.so
sessionrequired/lib/security/$ISA/pam_unix.so
sessionoptional/lib/security/$ISA/pam_ldap.so
NOTE1:"authconfig"willattheendoftherun,stopandrestart/etc/init.d/nscd,ifithangs,pressCTRL-Candthenrun"servicenscdrestart"
NOTE2:if“authconfig”isre-runagain,/etc/pam.d/system-authwillbere-generatedandoverwritten,thereforemanualeditofthisfileisrequirediftherearecustomizations.
NOTE3:ifyouareusingalatestupdateofRHEL3orRHEL4/RHFC3,theabove“tips”toreplacethe“required”keywordforpam_unix.soisnotrequired,asthegeneratedsystem-authisgoodwithout“su–user”incorrectpasswordissue.
Samplecontentof“system-auth”generatedforRHEL3andRHEL4/RHFC3thatworksrightoutofthebox:
RHEL3:
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequired/lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.solikeauthnullok
authsufficient/lib/security/$ISA/pam_ldap.souse_first_pass
authrequired/lib/security/$ISA/pam_deny.so
accountrequired/lib/security/$ISA/pam_unix.so
account[default=badsuccess=okuser_unknown=ignoreservice_err=ignoresystem_err=ignore]/lib/security/$ISA/pam_ldap.so
passwordrequired/lib/security/$ISA/pam_cracklib.soretry=3type=
passwordsufficient/lib/security/$ISA/pam_unix.sonullokuse_authtokshadow
passwordsufficient/lib/security/$ISA/pam_ldap.souse_authtok
passwordrequired/lib/security/$ISA/pam_deny.so
sessionrequired/lib/security/$ISA/pam_limits.so
sessionrequired/lib/security/$ISA/pam_unix.so
sessionoptional/lib/security/$ISA/pam_ldap.so
RHEL4/RHFC3:
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequired/lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.solikeauthnullok
authsufficient/lib/security/$ISA/pam_ldap.souse_first_pass
authrequired/lib/security/$ISA/pam_deny.so
accountrequired/lib/security/$ISA/pam_unix.sobroken_shadow
accountsufficient/lib/security/$ISA/pam_succeed_if.souid<100quiet
account[default=badsuccess=okuser_unknown=ignore]/lib/security/$ISA/pam_ldap.so
accountrequired/lib/security/$ISA/pam_permit.so
passwordrequisite/lib/security/$ISA/pam_cracklib.soretry=3
passwordsufficient/lib/security/$ISA/pam_unix.sonullokuse_authtokshadow
passwordsufficient/lib/security/$ISA/pam_ldap.souse_authtok
passwordrequired/lib/security/$ISA/pam_deny.so
sessionrequired/lib/security/$ISA/pam_limits.so
sessionrequired/lib/security/$ISA/pam_unix.so
sessionoptional/lib/security/$ISA/pam_ldap.so
Thatisall,rebootyourLDAPClient(SSHServer),ifthereisanybootissue,youmaybootintoRedHatLinuxRescueMode,andtrytofixtheissue,ifissuepersists,youmayrestorebacktheoriginal/etc/pam.d/system-auth,orrun"authconfig"togeneratetheoriginal.
#sync;sync;sync
#init6
---EndofDoc---
LastUpdated:26-Aug-2006
Purpose:Thedocumentisoneofthedeliverablesofthe“OpenLDAPCentralizedAuthenticationProject”,thereadermayalsorefertoitssisterdocumentstitled“InstallingandconfiguringOpenLDAPforRedHatEnterpriseLinux3”
ThisdocumentdescribesthestepsinvolvedininstallingandconfiguringanOpenSSHServer,whichisalsoanOpenLDAPClient,withpam_ldapsupportonRedHatEnterpriseLinux3.ThisistobeaccessedbyWindows/UNIX/LinuxOpenSSHclients.
Anotherrelateddocument"DeployingOpenLDAPClientbyusingautomatedscripts",describesthestepsinvolvedinbuildingupaninfrastructureenvironmentforrapiddeploymentofOpenLDAPClient.
NOTE:AllthestepsherearealsoapplicabletoRedHatFedoraCore1/2andRedHatLinux9,aswellasRHEL4/RHFC3.
UsefulURLs:
·SUN’s“SystemAdministrationGuide:SecurityServices-May2002”(couldbefoundat
·OpenSSH:
·OpenSSHLPK(LDAPPublicKey)patch:
·OpenSSL:
·PAM:
·PAM_LDAPandNSS_LDAP:
Exampleused:
·NSS_LDAPandPAM_LDAPlibrarypath:/liband/lib/securityrespectively
·OpenSSLinstalldirectory=/usr
·OpenLDAPinstalldirectory=/usr
ObservedIssues:
·PuTTYSSHProtocol1ClientDOESNOTWORK
·"su–uid"“incorrectpassword”despitecorrectpasswordentry,Ihavefoundafix,see“Tips”underStep7,this“tips”isnotrequiredonRHEL4/RHFC3Client.
Step1:Installnss_ldap2.X.Xandpam_ldap1.X.X
ThisstepisOPTIONALandcouldbeskippedifyouintendtousetheexistingnss_ldapandpam_ldaplibrariesalreadycomewithRHEL3.IMPORTANT:ItishighlyrecommendedthattheseconfigurationstepsbecarriedupattheLOCALSYSTEMCONSOLEwhilelogginginasroot,ONTOPOFTHIS,MULTIPLEREMOTErootsessionsshouldbeopened.Incaseofanyincorrectconfigurationthatmessesupyoursystem,itcanberepaired.
ForRedHatLinuxsystems,whenever"su–user"or"su–root"issueoccurs,andyoudon'tintendtocontinuetroubleshooting,attheseLOCALorREMOTErootsessions,issuethecommand"authconfig”andrestorebacktheoriginalRedHatLinuxAuthenticationscheme(itwillgeneratetheoriginal/etc/pam.d/system-authfile,pressCtrl-Cifthescreenappearsfreezed).
Loginas‘root’attheconsoleofLDAPClient.
IMPORTANTNOTE:Youmustconfigure/installOpenLDAPpriortonss_ldap,ifnotthe"configure"commandshownbelowwillcomplainabout"LDAPLibrarynotfound"asthetypeofLDAPisdefinedas"openldap".
Buildnss_ldapfromsource:
#cd/var/tmp
#tarxvfnss_ldap.tar
#cdnss_ldap-2XX
#./configure--libdir=/lib--with-ldap-lib=openldap--with-ldap-dir=/usr--with-ldap-conf-file=/etc/ldap.conf--with-ldap-secret-file=/etc/ldap.secret
#makeclean
#make
#makeinstall
IMPORTANTNOTE:Youmustconfigure/installnss_ldappriortopam_ldapasitwillpopulate/usr/local/includewithheaderfilesthatpam_ldaprequires,dependingonwhichversionofLDAPyouareusing,example:ldap.h,thisfileisLDAPversiondependant,thiswillavoidpam_ldap"configure"error"couldnotlocate<ldap.h>".
Buildpam_ldapfromsource,useEXACTLYthesameconfigurationoptions:
#cd/var/tmp
#tarxvfpam_ldap.tar
#cdpam_ldap-1XX
#./configure--libdir=/lib--with-ldap-lib=openldap--with-ldap-dir=/usr--with-ldap-conf-file=/etc/ldap.conf--with-ldap-secret-file=/etc/ldap.secret
#makeclean
#make
#makeinstall
Step2:InstallOpenSSL0.9.7e
Skipthisstepifitisalreadyinstalledassharedlibrariesobjects.#cd/var/tmp
#tarxvfopenssl-0.9.7e.tar
#cdopenssl-0.9.7e
#./configshared--prefix=/usr
#makeclean
#make
#makeinstall
Additionalstepsshownbelowarerequiredtorenameandhideopenssl-0.9.7aoriginalfiles(duetothefactthatRedHatstoreslibsslandlibcryptosharedobjectfilesatoddlocation,i.e./lib).
#cd/lib
#mv-flibssl.so.4libssl.so.4.orig
#ln-s/usr/lib/libssl.so.0.9.7libssl.so.4
#mv-flibcrypto.so.4libcrypto.so.4.orig
#ln-s/usr/lib/libcrypto.so.0.9.7libcrypto.so.4
VerifytheOpenSSLversion
#/usr/bin/opensslOpenSSL>version
OpenSSL0.9.7eDDMMMYYYY
OpenSSL>exit
Step3:ConfigureandinstallOpenSSHServer
Priortodoinganything,backuptheSUNSSHServeroriginalconfigurationfilesandhostkeys.#mkdir–p/etc/ssh.orig
#cp/etc/ssh/*/etc/ssh.orig
NowconfigureOpenSSHwithsupportforPAMandOpenSSL
NOTE:RedHatOpenSSHusuallystoreshostkeysin/etc/ssh
#cd/var/tmp
#tarxvfopenssh-3.X.XpX.tar
#cdopenssh-3.X.XpX
#./configure--prefix=/usr--with-pam--sysconfdir=/etc/ssh--with-ssl-dir=/usr
Compileandinstallit
#makeclean#make
#makeinstall
(IMPORTANTNote:having--sysconfdir=/etc/sshwillpreserveOpenSSHoriginal/etc/ssh/ssh_configand/etc/ssh/sshd_configaswellashostkeys,butastheoriginalsshd_configfileMAYNOTincludeNEWsettings,youMAYoverwritesshd_configwithasamplefromOpenSSHdistribution,withreferencestooriginalsettings)
Step4:Createstart/stopscripts
Create/etc/init.d/openssh.server,thisstepisOPTIONALasyoumayuseRedHat's/etc/init.d/sshdscript#touch/etc/init.d/openssh.server;chmod744/etc/init.d/openssh.server
Contentof/etc/init.d/openssh.server
#!/bin/shcase$1in
'start')
/usr/sbin/sshd
;;
'stop')
PID=`cat/var/run/sshd.pid`
if[-n"$PID"]
then
/usr/bin/kill-9$PID
fi
;;
*)
echo"usage:/etc/init.d/sshd{start|stop}"
;;
esac
Copy(Overwrite)samplesshd_configandssh_configfromOpenSSH
#cp/var/tmp/openssh-3.X.XpX/sshd_config/etc/ssh
#cp/var/tmp/openssh-3.X.XpX/ssh_config/etc/ssh
Edit/etc/ssh/sshd_config,enablePasswordAuthentication,enableChallengeResponseAuthentication,enablePAMandverifypathforsftp-serverdoesexist
#vi/etc/ssh/sshd_config
PasswordAuthenticationyes
ChallengeResponseAuthenticationyes
UsePAMyes
Subsystemsftp/usr/libexec/sftp-server
Note:inolderversion(pre-3.6.1)ofOpenSSHServer,insteadof“UsePAMyes”,theparameteris:
#Setthisto'yes'toenablePAMkeyboard-interactiveauthentication#Warning:enablingthismaybypassthesettingof'PasswordAuthentication'
PAMAuthenticationViaKbdIntyes
CreateprivilegeseparationuseridasperOpenSSHrequirement
#mkdir–p/var/empty;chmod755/var/empty#groupadd-g999sshd
#useradd-u999-g999–c“sshdprivilegeseparation”-d/var/empty-s/bin/falsesshd
Optionally,foranyreasonifthereisaneedtore-createthehostkeysforsshd,youmayperform:
/usr/bin/ssh-keygen-trsa1-f/etc/ssh/ssh_host_key-N""
/usr/bin/ssh-keygen-tdsa-f/etc/ssh/ssh_host_dsa_key-N""
/usr/bin/ssh-keygen-trsa-f/etc/ssh/ssh_host_rsa_key-N""
Optionally,youmaywanttofinetuneOpenSSHserverforittobemoresecure,i.e.useonlyProtocol2,disabledefaultPermitRootLogin,enableX11Forwarding,andsoon…belowisanexample:
#sed-e's/#Protocol2,1/Protocol2/'\
-e's/#PermitRootLoginyes/PermitRootLoginno/'\
-e's/#X11Forwardingno/X11Forwardingyes/'\
-e's/#PrintMotdyes/PrintMotdno/'\
/etc/ssh/sshd_config>/etc/ssh/sshd_config_new
#mv/etc/ssh/sshd_config_new/etc/ssh/sshd_config
That’sall,killexistingSSHServerandre-startOpenSSHServer
#/etc/init.d/sshdstop;/etc/init.d/openssh.serverstart
ORusetheRedHat'sway:
#servicesshdrestart
Step5:Createldap.confforBOTHpam_ldapandOpenLDAP
Therearetwoldap.conffiles,oneforpam_ldap,whichisusuallynamed/etc/ldap.conf,anotherforOpenLDAPclient,whichisusuallynamed/etc/openldap/ldap.conf:Createthesetwofiles.
Contentof/etc/ldap.conf,thoseingreenarerequiredentries.
#ListtwoormoreLDAPserversiffailoverisrequired
hostldap1.example.comldap2.example.com
#“host”directivemaybedeprecatedinfuturereleases,
#youmaywishtouse‘uri’directivetoreplace“host”directive
#urildap://ldap1.example.comldap://ldap2.example.com
basedc=example,dc=com
ldap_version3
binddncn=proxyagent,ou=profile,dc=example,dc=com
bindpwpassword
#Thedistinguishednametobindtotheserverwith
#iftheeffectiveuserIDisroot.Passwordis
#storedin/etc/ldap.secret(mode600)
rootbinddncn=Manager,dc=example,dc=com
port389
#Thesearchscope.
#scopesub
#scopeone
#scopebase
#Searchtimelimit
#timelimit30
#Bindtimelimit
#bind_timelimit30
#Idletimelimit;clientwillcloseconnections
#(nss_ldaponly)iftheserverhasnotbeencontacted
#forthenumberofsecondsspecifiedbelow.
#idle_timelimit3600
#FiltertoANDwithuid=%s
#pam_filterobjectclass=account
pam_filterobjectclass=posixAccount
#TheuserIDattribute(defaultstouid)
pam_login_attributeuid
#SearchtherootDSEforthepasswordpolicy(works
#withNetscapeDirectoryServer)
#pam_lookup_policyyes
#Checkthe'host'attributeforaccesscontrol
#Defaultisno;ifsettoyes,anduserhasno
#valueforthehostattribute,andpam_ldapis
#configuredforaccountmanagement(authorization)
#thentheuserwillnotbeallowedtologin.
#pam_check_host_attryes
#Grouptoenforcemembershipof
#pam_groupdncn=PAM,ou=Groups,dc=example,dc=com
#Groupmemberattribute
#pam_member_attributeuniquemember
pam_member_attributememberUid
#SpecifyaminiumormaximumUIDnumberallowed
#pam_min_uid0
#pam_max_uid0
#Templateloginattribute,defaulttemplateuser
#(canbeoverridenbyvalueofformerattribute
#inuser'sentry)
#pam_login_attributeuserPrincipalName
#pam_template_login_attributeuid
#pam_template_loginnobody
#HEADSUP:thepam_crypt,pam_nds_passwd,
#andpam_ad_passwdoptionsareno
#longersupported.
#Donothashthepasswordatall;presume
#thedirectoryserverwilldoit,if
#necessary.Thisisthedefault.
#pam_passwordclear
#Hashpasswordlocally;requiredforUniversityof
#MichiganLDAPserver,andworkswithNetscape
#DirectoryServerifyou'reusingtheUNIX-Crypt
#hashmechanismandnotusingtheNTSynchronization
#service.
pam_passwordcrypt
#Removeoldpasswordfirst,thenupdatein
#cleartext.NecessaryforusewithNovell
#DirectoryServices(NDS)
#pam_passwordnds
#UpdateActiveDirectorypassword,by
#creatingUnicodepasswordandupdating
#unicodePwdattribute.
#pam_passwordad
#UsetheOpenLDAPpasswordchange
#extendedoperationtoupdatethepassword.
#pam_passwordexop
#RedirectuserstoaURLorsomesuchonpassword
#changes.
#pam_password_prohibit_messagePleasevisit
#RFC2307bisnamingcontexts
#Syntax:
#nss_base_XXXbase?scope?filter
#wherescopeis{base,one,sub}
#andfilterisafiltertobe&'dwiththe
#defaultfilter.
#Youcanomitthesuffixeg:
#nss_base_passwdou=People,
#toappendthedefaultbaseDNbutthis
#mayincurasmallperformanceimpact.
nss_base_passwdou=People,dc=example,dc=com?one
nss_base_shadowou=People,dc=example,dc=com?one
nss_base_groupou=group,dc=example,dc=com?one
#nss_base_hostsou=Hosts,dc=example,dc=com?one
#nss_base_servicesou=Services,dc=example,dc=com?one
#nss_base_networksou=Networks,dc=example,dc=com?one
#nss_base_protocolsou=Protocols,dc=example,dc=com?one
#nss_base_rpcou=Rpc,dc=example,dc=com?one
#nss_base_ethersou=Ethers,dc=example,dc=com?one
#nss_base_netmasksou=Networks,dc=example,dc=com?ne
#nss_base_bootparamsou=Ethers,dc=example,dc=com?one
#nss_base_aliasesou=Aliases,dc=example,dc=com?one
nss_base_netgroupou=netgroup,dc=example,dc=com?one
#attribute/objectclassmapping
#Syntax:
#nss_map_attributerfc2307attributemapped_attribute
#nss_map_objectclassrfc2307objectclassmapped_objectclass
#configure--enable-ndsisnolongersupported.
#ForNDSnowdo:
#nss_map_attributeuniqueMembermember
#configure--enable-mssfu-schemaisnolongersupported.
#ForMSSFUnowdo:
#nss_map_objectclassposixAccountUser
#nss_map_attributeuidmsSFUName
#nss_map_attributeuniqueMemberposixMember
#nss_map_attributeuserPasswordmsSFUPassword
#nss_map_attributehomeDirectorymsSFUHomeDirectory
#nss_map_objectclassposixGroupGroup
#pam_login_attributemsSFUName
#pam_filterobjectclass=User
#pam_passwordad
#configure--enable-authpasswordisnolongersupported
#ForauthPasswordsupport,nowdo:
#nss_map_attributeuserPasswordauthPassword
#pam_passwordnds
#ForIBMSecureWaysupport,do:
#nss_map_objectclassposixAccountaixAccount
#nss_map_attributeuiduserName
#nss_map_attributegidNumbergid
#nss_map_attributeuidNumberuid
#nss_map_attributeuserPasswordpasswordChar
#nss_map_objectclassposixGroupaixAccessGroup
#nss_map_attributecngroupName
#nss_map_attributeuniqueMembermember
#pam_login_attributeuserName
#pam_filterobjectclass=aixAccount
#pam_passwordclear
#NetscapeSDKLDAPS
#sslon
#NetscapeSDKSSLoptions
#sslpath/etc/ssl/certs/cert7.db
#OpenLDAPSSLmechanism
#start_tlsmechanismusesthenormalLDAPport,LDAPStypically636
sslstart_tls
#sslon
#OpenLDAPSSLoptions
#Requireandverifyservercertificate(yes/no)
#Defaultis"no"
tls_checkpeeryes
#CAcertificatesforservercertificateverification
#Atleastoneofthesearerequirediftls_checkpeeris"yes"
#tls_cacertfile/etc/ssl/ca.cert
#tls_cacertdir/etc/ssl/certs
#Un-commentforRedHat
tls_cacertfile/etc/openldap/cacert.pem
#Un-commentforOthers
#tls_cacertfile/usr/local/etc/openldap/cacert.pem
#SeedthePRNGif/dev/urandomisnotprovided
#tls_randfile/var/run/egd-pool
#SSLciphersuite
#Seemanciphersforsyntax
#tls_ciphersTLSv1
#Clientcertificateandkey
#Usethese,ifyourserverrequiresclientauthentication.
#tls_cert
#tls_key
Contentof/etc/openldap/ldap.conf
HOSTldap1.example.comldap2.example.com
#URIldap://ldap1.example.comldap://ldap2.example.com
BASEdc=example,dc=com
#Un-commentforRedHat
TLS_CACERT/etc/openldap/cacert.pem
#Un-commentforothers
#TLS_CACERT/usr/local/etc/openldap/cacert.pem
Note:ForRHEL4/RHFC3Client,running“authconfig”withTLSoptionselectedwillalwaysaddalinetouseCACERTDIRmethodtotheendof/etc/ldap.conf,sopleasecommentouttheCACERTFILEmethodin/etc/ldap.confandalso/etc/openldap/ldap.conf,asshown:
/etc/ldap.conf:
#tls_cacertfile/etc/openldap/cacert.pem
tls_cacertdir/etc/openldap/cacerts
/etc/openldap/ldap.conf:
#TLS_CACERT/etc/openldap/cacert.pem
TLS_CACERTDIR/etc/openldap/cacerts
AfterthatyouGOTtogeneratetheX.509HASHwhichisasymboliclinktocacert.pem,youmayusethefollowingscripttohelpyou:
#catget_x509_hash.sh
HASH=`opensslx509-noout-hash-in/etc/openldap/cacert.pem`
echoPleaserunthesecommands
echo"cd/etc/openldap/cacerts"
echo"ln-s../cacert.pem$HASH.0"
Step6:Prepare/etc/openldap/cacert.pem
cacert.pemcontainstheONEPERORGANIZATIONSelf-SignedCertificationAuthorityCertificatethatwasgeneratedattheMASTERLDAPServer(s)forallOpenLDAPClientstotalktoOpenLDAPServerin"start_tls"mode(alsocalledSSL_TLS)attheusualLDAPport389.YoumustgeneratethisfileattheOpenLDAPServer,detailscouldbefoundin"InstallingandconfiguringOpenLDAPforRedHatEnterpriseLinux3",andcopyitovertoallLDAPclientsintoyourpreferredlocationreferencedbyBOTH/etc/ldap.confand/etc/openldap/ldap.conf.
Thefollowingisanexampleof/etc/openldap/cacert.pem.
-----BEGINCERTIFICATE-----
MIIEBjCCA2+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYD
VQQKEx1QTEFUVFMsIE1jR3Jhdy1IaWxsIENvbXBhbmllczEPMA0GA1UECxMGUExB
VFRTMSIwIAYDVQQDExluamhwbHBtb24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZI
hvcNAQkBFhNnYXJ5X3RheUBwbGF0dHMuY29tMB4XDTA0MDcwNjAyNTExNFoXDTE0
MDcwNDAyNTExNFowgbkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEW
MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTEmMCQGA1UEChMdUExBVFRTLCBNY0dyYXct
SGlsbCBDb21wYW5pZXMxDzANBgNVBAsTBlBMQVRUUzEiMCAGA1UEAxMZbmpocGxw
bW9uMS5wbGF0dHMubWhtLm1oYzEiMCAGCSqGSIb3DQEJARYTZ2FyeV90YXlAcGxh
dHRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0wqm6JKsUMIXRYyn
YRKDUYh//+57SJl+XSES7xz/TRO+rvfmnpZWFqHdMG6K5ruPVjQeusSQfNxuZT8T
aMOXpI0Upv2pvmGJyP88zxSN/kS6btDJHqKOrF3sp8P/BJOgDartHb2/gVcdHXYE
/QISDwMRJncE0kFOxhBJ/1U8I20CAwEAAaOCARowggEWMB0GA1UdDgQWBBQlvKCz
RfHlJXtG5ecwD0XrmLg2NzCB5gYDVR0jBIHeMIHbgBQlvKCzRfHlJXtG5ecwD0Xr
mLg2N6GBv6SBvDCBuTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRYw
FAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYDVQQKEx1QTEFUVFMsIE1jR3Jhdy1I
aWxsIENvbXBhbmllczEPMA0GA1UECxMGUExBVFRTMSIwIAYDVQQDExluamhwbHBt
b24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZIhvcNAQkBFhNnYXJ5X3RheUBwbGF0
dHMuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdra0I6Ei
Y+qgJyzBUM2ObxYAv26hDa+Vmk0VjVDxTBpjh1+4VM7ufWitClst3MZJy/ht/8Ui
4hBC6MtOdTnMb7YxJ6dCBHQ01WKs7pTPbYGuxAweSQQ/Jx3opmh55RyqFFs1/S4f
diTGRXhlVYaLsUP6FMCyvjXe3Tg68HBLyio=
-----ENDCERTIFICATE-----
Step7:BackupandCreate/etc/pam.d/system-auth
LoginasrootattheconsoleofLDAPClient(SSHServer)Makeabackupcopyof/etc/pam.d/system-auth
#cp/etc/pam.d/system-auth/etc/pam.d/system-auth.orig
run"authconfig"togenerate/etc/pam.d/system-authforLDAPAuthentication,ifthereisanyissue,runauthconfigagaintorestorebacktheoriginalsystem-auth,orjustrestorefromthebackup.
UserInformationConfiguration:
[*]UseLDAP
[*]UseTLS
Server:ldap1.example.com,ldap2.example.com
BaseDN:dc=example,dc=com
AuthenticationConfiguration:
[*]UseLDAPAuthentication
[*]UseTLS
Server:ldap1.example.com,ldap2.example.com
BaseDN:dc=example,dc=com
Tips:ifthegeneratedsystem-authhasabugsuchthat"su–userid"willdisplay"incorrectpassword"evenwhencorrectpasswordisprovided,tofixit,replaceoneofthe"account"lines,asshownbelow:
#diff/etc/pam.d/system-auth/etc/pam.d/system-auth.ldapauth
9c9
<accountrequired/lib/security/$ISA/pam_unix.so
---
>accountsufficient/lib/security/$ISA/pam_unix.so
Contentof/etc/pam.d/system-auththatwillfix“su–incorrectpasswordissue”.
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequired/lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.solikeauthnullok
authsufficient/lib/security/$ISA/pam_ldap.souse_first_pass
authrequired/lib/security/$ISA/pam_deny.so
accountsufficient/lib/security/$ISA/pam_unix.so
account[default=badsuccess=okuser_unknown=ignoreservice_err=ignoresystem_err=ignore]/lib/security/$ISA/pam_ldap.so
passwordrequired/lib/security/$ISA/pam_cracklib.soretry=3type=
passwordsufficient/lib/security/$ISA/pam_unix.sonullokuse_authtokmd5shadow
passwordsufficient/lib/security/$ISA/pam_ldap.souse_authtok
passwordrequired/lib/security/$ISA/pam_deny.so
#Un-commentthenextlineifyouwantpam_mkhomedir.sotomkdir$HOMEonthefly
#sessionsufficientpam_mkhomedir.soskel=/etc/skel/umask=0022
sessionrequired/lib/security/$ISA/pam_limits.so
sessionrequired/lib/security/$ISA/pam_unix.so
sessionoptional/lib/security/$ISA/pam_ldap.so
NOTE1:"authconfig"willattheendoftherun,stopandrestart/etc/init.d/nscd,ifithangs,pressCTRL-Candthenrun"servicenscdrestart"
NOTE2:if“authconfig”isre-runagain,/etc/pam.d/system-authwillbere-generatedandoverwritten,thereforemanualeditofthisfileisrequirediftherearecustomizations.
NOTE3:ifyouareusingalatestupdateofRHEL3orRHEL4/RHFC3,theabove“tips”toreplacethe“required”keywordforpam_unix.soisnotrequired,asthegeneratedsystem-authisgoodwithout“su–user”incorrectpasswordissue.
Samplecontentof“system-auth”generatedforRHEL3andRHEL4/RHFC3thatworksrightoutofthebox:
RHEL3:
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequired/lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.solikeauthnullok
authsufficient/lib/security/$ISA/pam_ldap.souse_first_pass
authrequired/lib/security/$ISA/pam_deny.so
accountrequired/lib/security/$ISA/pam_unix.so
account[default=badsuccess=okuser_unknown=ignoreservice_err=ignoresystem_err=ignore]/lib/security/$ISA/pam_ldap.so
passwordrequired/lib/security/$ISA/pam_cracklib.soretry=3type=
passwordsufficient/lib/security/$ISA/pam_unix.sonullokuse_authtokshadow
passwordsufficient/lib/security/$ISA/pam_ldap.souse_authtok
passwordrequired/lib/security/$ISA/pam_deny.so
sessionrequired/lib/security/$ISA/pam_limits.so
sessionrequired/lib/security/$ISA/pam_unix.so
sessionoptional/lib/security/$ISA/pam_ldap.so
RHEL4/RHFC3:
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequired/lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.solikeauthnullok
authsufficient/lib/security/$ISA/pam_ldap.souse_first_pass
authrequired/lib/security/$ISA/pam_deny.so
accountrequired/lib/security/$ISA/pam_unix.sobroken_shadow
accountsufficient/lib/security/$ISA/pam_succeed_if.souid<100quiet
account[default=badsuccess=okuser_unknown=ignore]/lib/security/$ISA/pam_ldap.so
accountrequired/lib/security/$ISA/pam_permit.so
passwordrequisite/lib/security/$ISA/pam_cracklib.soretry=3
passwordsufficient/lib/security/$ISA/pam_unix.sonullokuse_authtokshadow
passwordsufficient/lib/security/$ISA/pam_ldap.souse_authtok
passwordrequired/lib/security/$ISA/pam_deny.so
sessionrequired/lib/security/$ISA/pam_limits.so
sessionrequired/lib/security/$ISA/pam_unix.so
sessionoptional/lib/security/$ISA/pam_ldap.so
Thatisall,rebootyourLDAPClient(SSHServer),ifthereisanybootissue,youmaybootintoRedHatLinuxRescueMode,andtrytofixtheissue,ifissuepersists,youmayrestorebacktheoriginal/etc/pam.d/system-auth,orrun"authconfig"togeneratetheoriginal.
#sync;sync;sync
#init6
---EndofDoc---
相关文章推荐
- 《Monitoring with Ganglia》Chapter 2 Installing and Configuring Ganglia
- installing mosquitto server and configuring
- Installing and configuring workflow for SharePoint Server 2013
- Building and Installing ACE on Windows with Microsoft Visual C++
- Building a WAMP Dev Environment [1/4] - Installing and Configuring Apache
- Installing and Configuring the Apache HTTP Server Plug-In (在weblogic 9.x 10.x上配置apache http server 插件)
- Installing and configuring the Hadoop in the VM environment (1)
- 使用Response文件安装和配置Oracle数据库 - Installing and Configuring Oracle Database Using Response Files
- Installing Fedora 8 and let it Dual Boot with Windows - A Guide for Windows Users
- Installing ImageMagick on Windows and Using with PHP
- Installing and Configuring WebSphere 7.0
- Installing and Configuring StatsPack Package (文档 ID 149113.1)
- Building and Installing ACE on Win32 with MinGW/ MSYS
- Installing and Configuring Windows Server Backup for Hyper-V
- [转]Installing and Configuring target iSCSI server on Windows Server 2012
- Installing Kubernetes Cluster with 3 minions on CentOS 7 to manage pods and services
- Configuring and Installing a Xen Hardware Virtual Machine (HVM) domainU Guest
- Installing and Configuring Fedora KVM Virtualization
- Installing and Configuring ODBC
- [React Native] Installing and Linking Modules with Native Code in React Native