Ssh – error in auth.log but can login; LDAP/PAM

ldappamssh

I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.

The relevant piece from /var/log/auth.log

sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com  user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)

pam common-session

session [default=1]                     pam_permit.so
session required        pam_unix.so
session optional                        pam_ldap.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so

pam common-auth

auth    [success=1 default=ignore]      pam_ldap.so
auth    required                        pam_unix.so nullok_secure use_first_pass
auth    required                        pam_permit.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth    sufficient      pam_unix.so nullok_secure use_first_pass
auth    requisite       pam_succeed_if.so uid >= 1000 quiet
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so

pam common-account

account [success=2 new_authtok_reqd=done default=ignore]        pam_ldap.so
account [success=1 default=ignore]      pam_unix.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
account sufficient        pam_ldap.so
account sufficient      pam_unix.so

Best Answer

This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).

However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.

Related Topic