OpenSSH, PAM and Host Based Authentication

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm having a few problems getting the above combination to work as

I'm trying to get to a situation where my machines will accept host
authentication from each other, but require users to log in with a
password from
elsewhere.   I've set up a pam stack (using pam_ldap) that works fine
and set up
hosts.equiv and ssh_known_hosts2 However with both...
HostbasedAuthentication yes
usePam yes

I am unable to login from the hosts listed in shosts.equiv.  doing an
ssh -v -v hostname I see....

debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted for myserver.mydomainl [] by \

But still get prompted for a password - even if I enter a correct
password I'm still not allowed access.

If I disable HostbasedAuthentication password based login works fine.
Likewise if I
set usePAM no host based authentication works, but then my LDAP users
authenticate using a password from other machines.

I'm using openSSH 3.9.p1 (from the sunfreeware package) on Solaris 9
sparc with Suns pam_ldap

The non default sections of my sshd_config follow

Protocol 2
PermitRootLogin no
HostbasedAuthentication yes
PasswordAuthentication no
UsePAM yes
PrintMotd no
Banner /usr/local/etc/ssh_banner
Subsystem       sftp    /usr/local/libexec/sftp-server

Re: OpenSSH, PAM and Host Based Authentication

Check your PAM config, use the syslog, sshd -d, and logs and/or debugging
from your PAM modules to find out why PAM is disallowing the login.

  Richard Silverman

Re: OpenSSH, PAM and Host Based Authentication

I know why PAM is disallowing the login, sorry I should have made that
clear in my post.  pam_ldap authenticates the user by doing a bind
against the directory as the user using the password supplied.  If it
doesn't have the password (in the hostbased login scenario) it can't
bind, and therefore doesn't authenticate.

My point is why should host-based authentication care about the users
password?  If I turn pam off in sshd_config then I can't login as an
ldap user interactively but I can login using host-based
authentication.  Surely that is inconsistent, or am I missing a trick

Re: OpenSSH, PAM and Host Based Authentication

Quoted text here. Click to load it

It doesn't but the PAM stacks other than auth (eg account, session)
that sshd still checks probably do.  Try commenting them out of your
PAM config one at a time and see which it is.

Just because you're not authenticating via PAM, doesn't mean PAM isn't
being used.

This problems also occurs with kerberos-based logins, too.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline