and pam

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

The short story is that we cannot seem to configure a Linux host using's version of ssh to use LDAP for PAM authentication.  We are
successful using OpenSSH.

If anyone has configured to use LDAP via PAM, we would
appreciate your contacting us.

The longer version of the problem is:

Problem configuring with PAM on SuSE.

We are trying to begin using OpenLDAP for our accounts and to that end
we have created an LDAP server and populated it with some account

On a standard SuSE 9.3 installation, we configured it to get its
account information from our LDAP server.  This configuration was done
via the YaST2 tool and was as standard as we could make it.

The OpenSSH server that comes with the distribution does successfully
authenticate users from the LDAP server.

For historical reasons, we have been using the last free version of
ssh from version

We have recompiled on this system, making sure that the PAM
libraries are enabled.  We then copied the /etc/pam.d/sshd file to

Here are the contents (with all the includes resolved):

  auth     required
  auth     required
  auth     required
  account  required
  password required  nullok
  password required    nullok use_first_pass
  session  required
  session  required

We configured the sshd2 to use keyboard-interactive with the
following options:

  AuthKbdInt.NumOptional          0
  AuthKbdInt.Optional             pam,password
  AuthKbdInt.Required             PAM
  AuthKbdInt.Retries              1

Forcing a connection to use keyboard-interactive, we get prompted for
PAM authentication, which always fails.

Looking at the debug info for the daemon we see the following before
the PAM authentication prompt occurs:

      Can't find "user"'s shadow - access denied.

At this point we have not seen any connection to the LDAP server.

A few lines later we see:

  auth-kbd-int: User 'user' does not exist, faking real transaction.

This corresponds well to the PAM authentication prompt.  There are
connections to the LDAP server at this time and it really appears to
be doing authentication, but the login is still refused.

We have also tried following the specific instructions at for
configuring this version to work with PAM.  Those instructions use the module with some options.  In particular:

  auth    required shadow nullok

Unfortunately, /lib/security/ is identical to
/lib/security/, and doesn't support the "shadow" option.

It appears to us as if the sshd2 can use PAM, but that it is
choosing not to during the early part of the authentication, when it
is looking for the user's shadow information.

Any suggestions on further things to try would be most welcome.  We are
neither a PAM nor an LDAP experts, though we have been cramming.  We
certainly tried more thing than documented here, but this is already
too long.

Thanks in advance for any help.

Re: and pam wrote:
Quoted text here. Click to load it

My suggestion is to switch to OpenSSH, or pay money to for their
commercial version. What possible reason do you have for wasting your
valuable time with a discarded release when better, supported ones are
available as freeware or as commercial versions?

Re: and pam

Nico Kadel-Garcia wrote:
Quoted text here. Click to load it

Hmm. That came out sounding snippy, and I'll apologize for that. But
seriously, why are you pursuing's no longer supported open source

Site Timeline