[Techtalk] Re: SSH authentication via PAM-MySQL
Wim De Smet
kromagg at gmail.com
Wed Apr 4 12:28:15 UTC 2007
On 4/3/07, Aneesha Govil <popcorn09 at gmail.com> wrote:
> On 4/3/07, Wim De Smet <kromagg at gmail.com> wrote:
> > On 4/3/07, Aneesha Govil <popcorn09 at gmail.com> wrote:
> > > Missed the error message -
> > >
> > > On 4/3/07, Aneesha Govil <popcorn09 at gmail.com > wrote:
> > > >
> > > > Hi,
> > > >
> > > > At work I have a requirement wherein I want to authenticate SSH users
> > > > based on the usernames and passwords in a table in a MySQL database. I
> am
> > > > able to get it to use the passwords from the table but it is not
> picking up
> > > > the usernames. For example - if I add information as - testuser /
> > > > testpassword in the table and SSH as:
> > > >
> > > > ssh testuser at localhost
> > >
> > >
> > > In the logs I get the error - Invalid user testuser from 127.0.0.1
> >
> > Could you also enable mysql query logging and look at the queries
> > you're getting? I believe this would help track the problem down.
>
> The queries are turned on and working fine. The invalid user error happens
> before the query fires at all. All the auth, account etc stuff happens after
> that error.
In that case I think the most likely culprit is sshd not using PAM.
There should be a line in the sshd_config (/etc/ssh/sshd_config on
debian) that says:
UsePAM yes
My sshd_config also has the following slightly confusing section:
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
#PAMAuthenticationViaKbdInt no
If your config has the same settings, probably best to disable
privilege separation and set PAMAuthenticationViaKbdInt to yes. This
might have some security implications I'm not sure.
greets,
Wim
More information about the Techtalk
mailing list