Reputation: 465
Public key authenticating local user when LDAP server is down
I'm trying to configure my system to allow me to login (ssh) to a local account on a host (Ubuntu 16.04) with public key authentication, even if/when the LDAP server is down.
This is a cloud image, so the user I need locally is ubuntu. This user doesn't have a password (and I don't want to set one for security). Only public key auth should be allowed on this user.
This user has UID 1001 and all my LDAP users have UID numbers >= 2000.
I've been trying stuff all day (such as pam_succeed_if.so and pam_localuser).
Now getent passed ubuntu works fine and returns the local passwd line. But ssh refuses like so:
Sep 6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Sep 6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: failed to bind to LDAP server ldaps://ldap.domain.tld: Can't contact LDAP server
Sep 6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: reconnecting to LDAP server...
And then eventually it fails with Authentication failed..
/etc/nsswitch.confpasswd: compat [success=return] ldap group: compat [success=return] ldap shadow: compat [success=return] ldap/etc/pam.d/common-accountaccount [success=2 new_authtok_reqd=done default=ignore] pam_unix.so # NOTE: These two won't work - fatal: Access denied for user <ldap user> by PAM account configuration [preauth] #account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid [le sign] 500 quiet account [success=1 default=bad success=ok user_unknown=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so account required pam_krb5.so minimum_uid=2000/etc/pam.d/common-authauth [success=3 default=ignore] pam_krb5.so minimum_uid=2000 ignore_root auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass ignore_unknown_user ignore_authinfo_unavail # NOTE: Can't login with this (changed the success above)! #auth requisite pam_succeed_if.so uid [ge sign] 500 quiet auth requisite pam_deny.so auth required pam_permit.so/etc/ldap.confbind_timelimit 10 pam_min_uid 2000 nss_initgroups_ignoreusers ubuntu,local nss_reconnect_tries 2 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 8 nss_reconnect_maxconntries 2
(I tried using the pre and code blocks, but SOF refused to let me post then, so sorry if this looks horrible - if anyone with admin rights can go in and fix, please do.)
Upvotes: 0
Views: 1238
Answers (1)
Reputation: 465
Rereading the man page for nsswitch.conf, gave me this:
return- Return a result now. Do not call any further lookup functions. However, for compatibility reasons, if this is the selected action for the group database and the notfound status, and the configuration file does not contain the initgroups line, the next lookup function is always called, without affecting the search result.
Key words here is this part: the configuration file does not contain the initgroups line, the next lookup function is always called.
As in, if I added the line
initgroups: files
I can now login to the ubuntu user, even when the LDAP server is down!
Upvotes: 0
Related Questions
- How to authenticate windows client with Ldap server on Linux with share home directory
- authentication using LDAP
- Username and Password for LDAP Authentication
- How to authenticate ldap user and login on server as GUI ,it should login on server directly via GUI
- How to reconnect when the LDAP server is restarted?
- SSH authenticate with public key (not private key)
- Server with ssh public key authentication with libssh
- Allow remote login to LDAP server
- Authenticate user in LDAP server
- what LDAP credentials are needed