%EB%A5%BC%20%EC%8B%A4%ED%96%89%ED%95%98%EC%97%AC%20OpenSSH%2Fpam%2Fpam_ldapd%EA%B0%80%20%EA%B3%B5%EA%B0%9C%20%ED%82%A4%20%EC%9D%B8%EC%A6%9D%EC%9D%84%20%EC%82%AC%EC%9A%A9%ED%95%98%EB%8F%84%EB%A1%9D%20%EA%B0%95%EC%A0%9C%ED%95%A9%EB%8B%88%EB%8B%A4..png)
나는 pam_ldap 인증을 위해 libpam_ldapd를 사용합니다. 저는 slapo-nssov를 사용하고 있으며 pam 세션을 연 후 사용자의 ldap 항목에 추가되고 닫힐 때 제거되는 loginStatus 속성을 사용하고 싶습니다. SSH 비밀번호 인증에서만 작동합니다. 비밀번호 대신 공개 키를 사용할 때 pam에서 뭔가를 건너뛴 것 같습니다. pam_ldap(sshd:auth) nslcd authentication; user=userauth.log에 로그인이 없었고 nssov에는 세션 업데이트를 위한 사용자 및 해당 DN에 대한 정보가 없었습니다. 이는 아마도 loginStatus 속성이 사용자 LDAP 항목에 추가되지 않은 이유일 것입니다. 공개 키 인증을 사용할 때 pam이 sshd:auth를 수행하도록 강제할 수 있나요?
사용자 비밀번호를 통한 성공적인 SSH 연결:
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): nslcd authentication; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:auth): authentication succeeded
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:account): authorization succeeded
Apr 8 10:41:57 host sshd[14511]: Accepted password for jindraj from 10.255.0.5 port 60889 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr 8 10:41:57 host sshd[14511]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:57 host sshd[14511]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host sshd[14511]: pam_ldap(sshd:session): session open succeeded; session_id=1428482517
Apr 8 10:41:57 host login[14524]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:account): authorization succeeded
Apr 8 10:41:57 host login[14524]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:57 host login[14524]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
비밀번호를 사용하여 ssh에 로그인할 때 slapd.log는 nssov_pam을 찾습니다.
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authc(jindraj)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authz(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o(cn=jakub jindra,ou=people,dc=socialbakers,dc=com)
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:33:00 sudo slapd[4004]: nssov_pam_sess_o()
사용자 공개 키를 사용한 SSH 연결 성공
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): nslcd authorisation; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:account): authorization succeeded
Apr 8 10:41:32 host sshd[14389]: Accepted publickey for jindraj from 10.255.0.5 port 60888 ssh2: RSA 5c:f6:86:ec:06:b6:4d:ed:e5:34:23:66:78:a0:16:2b
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:32 host sshd[14389]: pam_unix(sshd:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host sshd[14389]: pam_ldap(sshd:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): Open Session
Apr 8 10:41:32 host sshd[14389]: pam_selinux(sshd:session): SELinux is not enabled
Apr 8 10:41:32 host login[14420]: pam_ldap(login:account): nslcd authorisation; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:account): authorization succeeded
Apr 8 10:41:32 host login[14420]: pam_unix(login:session): session opened for user jindraj by (uid=0)
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): nslcd session open; user=jindraj
Apr 8 10:41:32 host login[14420]: pam_ldap(login:session): error reading from nslcd: Connection reset by peer
공개 키를 사용하여 ssh에 로그인할 때 slapd.log는 nssov_pam을 찾습니다.
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_authz()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
Apr 8 14:32:54 sudo slapd[4004]: nssov_pam_sess_o()
이것은 내 auth-client-config 구성 파일입니다. 내 nsswitch 및 pam 구성이 어떻게 생겼는지에 대한 아이디어를 제공해야 합니다.
[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files
nss_netgroup=netgroup: nis
nss_hosts=hosts: files cache dns
nss_services=services: files ldap
nss_sudoers=sudoers: files ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so minimum_uid=10000 use_first_pass debug
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so minimum_uid=10000 debug
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so minimum_uid=10000 try_first_pass debug
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_unix.so
session sufficient pam_ldap.so use_authtok debug
session required pam_mkhomedir.so skel=/etc/skel umask=0022
내 환경:
- 우분투 14.04 LTS
- OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 2014년 1월 6일
- libpam_ldapd 0.8.13-3
- libnss_ldapd 0.8.13-3
- nssov가 포함된 openldap 2.4.31