Error in ssh command in Linux Fedora!

Douglas E. Engert deengert at anl.gov
Sat Dec 1 17:07:50 EST 2007



Jyotishmaan Ray wrote:
> Hi All Kerberos Experts,
> 
> This is Jyotishmaan.  I have migrated
> users to LDAP server in Linux platform. When i tested for ssh logon,
> for a test user- "ldapusr" i got the following error as shown below:-
> 
> [root at authdns compcen]# ssh authdns.nits.ac.in -l ldapusr
> ldapusr at authdns.nits.ac.in's password: 
> Permission denied, please try again.
> ldapusr at authdns.nits.ac.in's password: 
> Permission denied, please try again.
> ldapusr at authdns.nits.ac.in's password: 
> Permission denied (publickey,gssapi-with-mic,password).
> [root at authdns compcen]# 
> 
> Please
> let me know if i need to install KERBEROS or Heimdal librarries for
> allowing me to log on to the system, to be authenticated by the LDAP
> server.

There is a difference between authentication  and authorization.

You said you wanted to use LDAP for authentication (and authorization).
You can use Kerberos for authentication and LDAP for authorization.
LDAP authentication uses the userPassword attribute. Kerberos does not
use it as a password.

But even with Kerberos for authentication and LDAP for authorization
the userPassword will be tested to see if it is locked: *LK*, and root
on the server must be able to access the userPasswrord attribute in LDAP.


If you want to get responses from the list, you need to give more information.

On the server:
    sshd -p 2222 -ddd

Then on the client:
    ssh -p 2222 -l ldapusr authdns.nits.ac.in

Send the output of these two traces,
the /etc/pam/pam.conf, or the /etc/pam.d/ssh*
the /etc/nsswitch.conf
the sshd_config
the ssh_config on the client.

And are you sure root can read the userPassword attribute in ldap?


> 
> Kindly through lights on this issue, as i am not able to
>  do!!
> 
> Regards,
> Jyotishmaan
>  
> 
> 
> With Thanks and Regards, 
> Jyotishmaan Ray 
> Moderator Of Paradise Groups 
> http://yahoogroups.com/group/Spirituality-Paradise
>  
> Are You Spiritually Aware  !!! Are You Enjoying Yourself  !!!  See What All You Had Been Missing !!!!
> Please Join Immediately By Sending A Blank Mail @  
> Spirituality-Paradise-subscribe at yahoogroups.com 
>  
>  
>  
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Be a better pen pal. 
> Text or chat with friends inside Yahoo! Mail. See how.  http://overview.mail.yahoo.com/
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list