Hi
I have created an ec2 instance and have installed openldap and setup openldap to use OpenSSH. However I cannot ssh from a remote pc, to the openldap server, I just get invalid user, although the username is the same that I have specified in openldap.
What am I doing wrong?
Thanks
On 05/14/13 11:19 +0100, Stuart Watson wrote:
Hi
I have created an ec2 instance and have installed openldap and setup openldap to use OpenSSH. However I cannot ssh from a remote pc, to the openldap server, I just get invalid user, although the username is the same that I have specified in openldap.
Assuming this is a Linux system, use the following to trouble shoot:
getent passwd <user> (verifies your nss ldap plugin) pamtester (verifies your pam module) ldapsearch (basic data verification)
See Chapter 21.3 of the OpenLDAP Admin Guide for documentation on how to capture logging information on the server.
Find documentation and a mailing list for the nss and pam modules you are using, as that is the most common misconfiguration in my experience.
Yes, it's an Ubuntu 12.04 system...This is the walkthrough I have been following.
http://tuxotaku.com/bitbucket/2011/12/20/setting-up-passwordless-ssh-login-a...
I get as far as the end of this, and try to SSH to the box, and I get invalid user in the SSH logs.....
On Tue, May 14, 2013 at 2:54 PM, Dan White dwhite@olp.net wrote:
On 05/14/13 11:19 +0100, Stuart Watson wrote:
Hi
I have created an ec2 instance and have installed openldap and setup openldap to use OpenSSH. However I cannot ssh from a remote pc, to the openldap server, I just get invalid user, although the username is the same that I have specified in openldap.
Assuming this is a Linux system, use the following to trouble shoot:
getent passwd <user> (verifies your nss ldap plugin) pamtester (verifies your pam module) ldapsearch (basic data verification)
See Chapter 21.3 of the OpenLDAP Admin Guide for documentation on how to capture logging information on the server.
Find documentation and a mailing list for the nss and pam modules you are using, as that is the most common misconfiguration in my experience.
-- Dan White
On Tue, May 14, 2013 at 2:54 PM, Dan White dwhite@olp.net wrote:
On 05/14/13 11:19 +0100, Stuart Watson wrote:
Hi
I have created an ec2 instance and have installed openldap and setup openldap to use OpenSSH. However I cannot ssh from a remote pc, to the openldap server, I just get invalid user, although the username is the same that I have specified in openldap.
Assuming this is a Linux system, use the following to trouble shoot:
getent passwd <user> (verifies your nss ldap plugin) pamtester (verifies your pam module) ldapsearch (basic data verification)
On 05/14/13 15:00 +0100, Stuart Watson wrote:
Yes, it's an Ubuntu 12.04 system...This is the walkthrough I have been following.
http://tuxotaku.com/bitbucket/2011/12/20/setting-up-passwordless-ssh-login-a...
I get as far as the end of this, and try to SSH to the box, and I get invalid user in the SSH logs.....
That tutorial seems to assume that you have added your users with standard adduser/useradd utilities.
Try adding your user, and verifying with 'getent passwd <user>', before trouble shooting ldap or ssh.
Sorry, i'm confused....
I've been asked to setup a LDAP server so that our developers can SSH from their computers to remote systems, through the LDAP server, giving us the ability to control who can ssh.....
I've spent the last few days trawlling through the documentation, and get as far as having the ldap server setup, but can't seem to get any further.
Do I need to add local accounts to the LDAP server?
What we were trying to achieve was
User > Ldap Server > Remote Server
with the Remote server pointing at the ldap server for authentication, thus stopping us from creating local accounts and from adding ssh keys to the Remote Servers.
On Tue, May 14, 2013 at 3:21 PM, Dan White dwhite@olp.net wrote:
On Tue, May 14, 2013 at 2:54 PM, Dan White dwhite@olp.net wrote:
On 05/14/13 11:19 +0100, Stuart Watson wrote:
Hi
I have created an ec2 instance and have installed openldap and setup openldap to use OpenSSH. However I cannot ssh from a remote pc, to the openldap server, I just get invalid user, although the username is the same that I have specified in openldap.
Assuming this is a Linux system, use the following to trouble shoot:
getent passwd <user> (verifies your nss ldap plugin) pamtester (verifies your pam module) ldapsearch (basic data verification)
On 05/14/13 15:00 +0100, Stuart Watson wrote:
Yes, it's an Ubuntu 12.04 system...This is the walkthrough I have been following.
http://tuxotaku.com/bitbucket/**2011/12/20/setting-up-** passwordless-ssh-login-and-**key-management-using-l.htmlhttp://tuxotaku.com/bitbucket/2011/12/20/setting-up-passwordless-ssh-login-and-key-management-using-l.html
I get as far as the end of this, and try to SSH to the box, and I get invalid user in the SSH logs.....
That tutorial seems to assume that you have added your users with standard adduser/useradd utilities.
Try adding your user, and verifying with 'getent passwd <user>', before trouble shooting ldap or ssh.
-- Dan White
On 05/14/13 15:28 +0100, Stuart Watson wrote:
Sorry, i'm confused....
I've been asked to setup a LDAP server so that our developers can SSH from their computers to remote systems, through the LDAP server, giving us the ability to control who can ssh.....
"Through the LDAP server" is a misnomer, and may be leading to some confusion.
You are simply using OpenLDAP as a database here, like MySQL, and nothing more. You're storing your keys within that database. You're not storing your system users in that database apparently, due to the error message you're seeing.
When ssh'ing to the server, key authentication may be succeeding (increase ssh client verbosity to verify). I don't know the details of the patch you've applied, but I assume that it does not take the place of a getpwent system call, and hence you will need to configure a system user (so that ssh knows where the user's home directory is, for instance).
I've spent the last few days trawlling through the documentation, and get as far as having the ldap server setup, but can't seem to get any further.
Do I need to add local accounts to the LDAP server?
Yes. That's the simplest way forward. You can disable the user's password if you don't want password authentication to succeed (or disable pam auth in sshd_config).
An alternative is that you can configure an nss ldap plugin to interpret your LDAP data as system users, but that's an independent concept from how you store your ssh keys.
What we were trying to achieve was
User > Ldap Server > Remote Server
with the Remote server pointing at the ldap server for authentication, thus stopping us from creating local accounts and from adding ssh keys to the Remote Servers.
You can't get away from creating local accounts with ssh (barring some trick your patch is performing). You can "trick" ssh into using accounts stored within your ldap tree by using an nss module.
As I've stated before, you need 'getent passwd <user>' to work, or you're going to continue to bang your head against the wall.
Is there a preferred way of managing ssh keys across multiple servers, for multiple users? Am I barking up the wrong tree with OpenLdap?
On Tue, May 14, 2013 at 4:38 PM, Dan White dwhite@olp.net wrote:
On 05/14/13 15:28 +0100, Stuart Watson wrote:
Sorry, i'm confused....
I've been asked to setup a LDAP server so that our developers can SSH from their computers to remote systems, through the LDAP server, giving us the ability to control who can ssh.....
"Through the LDAP server" is a misnomer, and may be leading to some confusion.
You are simply using OpenLDAP as a database here, like MySQL, and nothing more. You're storing your keys within that database. You're not storing your system users in that database apparently, due to the error message you're seeing.
When ssh'ing to the server, key authentication may be succeeding (increase ssh client verbosity to verify). I don't know the details of the patch you've applied, but I assume that it does not take the place of a getpwent system call, and hence you will need to configure a system user (so that ssh knows where the user's home directory is, for instance).
I've spent the last few days trawlling through the documentation, and get
as far as having the ldap server setup, but can't seem to get any further.
Do I need to add local accounts to the LDAP server?
Yes. That's the simplest way forward. You can disable the user's password if you don't want password authentication to succeed (or disable pam auth in sshd_config).
An alternative is that you can configure an nss ldap plugin to interpret your LDAP data as system users, but that's an independent concept from how you store your ssh keys.
What we were trying to achieve was
User > Ldap Server > Remote Server
with the Remote server pointing at the ldap server for authentication, thus stopping us from creating local accounts and from adding ssh keys to the Remote Servers.
You can't get away from creating local accounts with ssh (barring some trick your patch is performing). You can "trick" ssh into using accounts stored within your ldap tree by using an nss module.
As I've stated before, you need 'getent passwd <user>' to work, or you're going to continue to bang your head against the wall.
-- Dan White
On 05/14/13 16:42 +0100, Stuart Watson wrote:
Is there a preferred way of managing ssh keys across multiple servers, for multiple users? Am I barking up the wrong tree with OpenLdap?
That's an OpenSSH question, not an OpenLDAP question. How well the solution you're using works depends on the quality of the patch you're using.
I believe OpenSSH has integrated a way to retrieve keys from an LDAP directory without having to apply a patch, but you'll need to consult their documentation.
openldap-technical@openldap.org
-
Dan White -
Stuart Watson