Solaris 9 LDAP client sun_ssh public key authentication

Similar Messages

• Configuration of Public Key Authentication Policy for SFTP on OAG 11.1.2.2

  Hi
  I'm working on the configuration of an SFTP server over OAG, using both password and public key authentication.
  This particular listener need 3 policies:
  - Password Authentication
  - Public Key Authentication
  - File upload
  Both File upload and password auth are working OK, but I've been having a hard time with the PK policy. This policy uses the attribute ${authentication.subject.public.key} to store the PK info, which I confirmed is being sent to the gateway (as modulus + public exponent), however I can not find a way to verify the key received with the ones on the Key Pairs store.
  OAG Version is 11.1.2.2
  Any comments?

  Hi a82383ca-36ac-49d5-aa6e-c3307f7e56e1,
  It would probably help if you place this question under the community for product you have questions about. I will see if I can help you move it to the proper one by asking around.
  Best regards,
  VictorI

• Solaris 7 ldap client

  Hello,
  Does anyone have advise for a solaris 7 ldap client? Is openldap/nss_ldap pretty much the standard? After comile & installation, editing /etc/nsswitch.conf & ldap.conf, what else needs to be done?
  thanks

  It is advisable to upgrade to Solaris8 + lastest Kernel and LDAPv2 patches, uninstall OpenLDAP Client Libraries and just use the SUN supported Solaris Native LDAP Client Libraries.
  Assuming "idsconfig" has been run at the DS5.2 server end, to create the profiles and agent data, after that "ldapclient" should be run also at all ldap clients, it will setup /etc/nsswitch.conf, however you may need to adjust the "hosts: files ldap" to "hosts: files dns".
  If you intend to use pam_ldap, lookup docs.sun.com for a recommended /etc/pam.conf
  You may follow http://web.singnet.com.sg/~garyttt/
  Gary

• Has anyone set up a Solaris 7 LDAP client to use with iPlanet DS 5.0?  I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

  I am trying Not to have 3 separate versions of LDAP in my environment (iDS5,Native Solaris LDAP,OpenLDAP). Can anyone point me to some DETAILED instructions to get an LDAP client (not server) running on Solaris 7?

  Hi,
  While U try to upgrade solaris it first tries to check the installed softtware & application and patch's specific to the exsisting version b'coz these patch are specific to version in most cases.Since in Ur case the authentication is done in ldap it would become bit of a mess if U upgrade.

• Solaris 10 - ldap client - tls/ssl - password change

  we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
  passwd -r user1
  passwd: Changing password for user1
  passwd: Sorry, wrong passwd
  Permission denied
  where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
  any ideas will be highly appreciated.

  Not that it helps any but I am getting his same error. I am also using 6.3.1

• Solaris 10 LDAP Client: libsldap: Status: 4

  Hi everybody.
  I changed the configuration in Solaris 10 to restrict the LDAP users who can login to the system.
  What I have done is changed the value:
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=sis,dc=personal,dc=net,dc=py?sub?host=<hostname>
  Where <hostname> is the respective hostname.
  After that, everything works as I expect, but I get a lot of these messages:
  sshd[28495] libsldap: Status: 4 Mesg: Service search descriptor for service 'passwd' contains filter, which can not be used for service 'user_attr'.
  Should I ignore the messages? This is the nsswitch.conf file:
  /etc/nsswitch.conf
  # Copyright 2006 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
  # /etc/nsswitch.files:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # does not use any naming service.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  passwd: files ldap
  group: files ldap
  hosts: cluster files dns
  ipnodes: files dns
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: cluster files
  bootparams: files
  publickey: files
  netgroup: files
  automount: files
  aliases: files
  services: files
  printers: user files
  auth_attr: files
  prof_attr: files
  project: files
  tnrhtp: files
  tnrhdb: files
  user_attr: files
  I added user_attr to nsswitch.conf pointing to files only, refreshed ssh, but the message still appears.
  Any suggestions?

  What would I do without google?
  http://prefetch.net/blog/index.php/2005/01/
  I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:
  Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
  descriptor for service �passwd� contains filter, which can not be used for service �user_attr�.
  We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:
  NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
  NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)
  Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com.

• Solaris 7 ldap client setup

  Hi,
  Please any one can help me in setting ldap client for solaris 7 guidelines or any website or docs help.
  Thanking you,
  Naren

  hi mukherjee,
  you can configure both solaris 8 and 9 as ldapclient to sunone 5.2 installed on solaris 9 box. make sure i think you cannot configure client on same maching on which directory server is installed.
  No my question is how to setup ldapclient on solaris 6 andsolaris 7. as both does not support ldap. like solaris 7 has no nsswitch.ldap. can you provide me details to configure solaris7 as ldap client
  PATEL

• Has anyone set up a Solaris 8 LDAP client to use with iPlanet DS 5.0?  I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

  help with client
  error on ldap_client_file
  ldap_client_cred

  Hi,
  Yes it can be done provided U've given proper information during configuring.The sun machine which is to be used as a client should be installed as a ldap client "at the time of installation ldap client option should be chosen.

• Solaris 10 Ldap Client user authentication against edirectory

  Hello,
  We have moved some of our oracle databases from linux to solaris 10 u7, I need to setup secure ldap authentication for the users against a linux based eDirectory server. Can some one point me in the right direction of good documentation or a good explaination on what i need and how to go about this.
  I have spent the last couple of days reading about pam, nsswitch.ldap nsswitch.conf and certificates now I need to pull all this information into a usable format.
  Thanks
  ukgreenman

  I have a similar question.
  Did you have a solution ?
  thanks

• Solaris 10 LDAP Client to 389 DS(Linux)

  Hey guys,
  I had this working in Solaris 11 but I have to port back to Solaris 10 to run SunOS 4 binaries. Here goes, I can su over to the accounts in the LDAP, it resolves names and groups to files. DNS and NTP are functioning. I cannot log -in via ssh or su <username>. I can log in or su with both methods with local accounts(non-LDAP).
  When I - su Username the system responds prompting for password then returns su: Uknown id: Username
  When I ssh [email protected] it prompts me three times for a password which it never accepts as valid.
  Here is my pam.conf file -
  #ident "@(#)pam.conf 1.31 07/12/07 SMI"
  # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth sufficient pam_unix_auth.so.1
  login auth required pam_dial_auth.so.1
  login   auth required           pam_ldap.so.1
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth required pam_unix_auth.so.1
  # Kerberized rlogin service
  krlogin auth required pam_unix_cred.so.1
  krlogin auth required pam_krb5.so.1
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  # Kerberized rsh service
  krsh auth required pam_unix_cred.so.1
  krsh auth required pam_krb5.so.1
  # Kerberized telnet service
  ktelnet auth required pam_unix_cred.so.1
  ktelnet auth required pam_krb5.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_unix_cred.so.1
  ppp auth required pam_unix_auth.so.1
  ppp auth required pam_dial_auth.so.1
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authentication
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth required pam_unix_cred.so.1
  other auth sufficient pam_unix_auth.so.1
  other   auth required           pam_ldap.so.1
  # passwd command (explicit because of a different authentication module)
  passwd auth sufficient pam_passwd_auth.so.1
  passwd  auth required           pam_ldap.so.1
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other   account sufficient      pam_ldap.so.1
  other account requisite pam_roles.so.1
  other account required pam_unix_account.so.1
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1
  # Support for Kerberos V5 authentication and example configurations can
  # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
  Any ideas? So close but missing something as when I go to log in via ssh it prompts me for password 3 times then tosses me. Yes password and account are OK. If I ssh from a Linux server authenticating to the LDAP it works just fine. Any help is appreciated.
  Thanks,
  Ted

  CN,
  I have not modified the schema yet. I have updated pam.conf and while evaluating /var/adm/messages on the Solaris Client I only get output when I enter a known bad password, if I enter the correct password there is nothing in that log. Log in and su results remain the same. the slapd log does show the attempts and does not appear to show any errors that I can tell. I'll keep working it, here is the pam.conf I switched too after further evaluation -
  # more /etc/pam.conf
  #ident "@(#)pam.conf 1.31 07/12/07 SMI"
  # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_dial_auth.so.1
  login auth binding pam_unix_auth.so.1 server_policy
  login auth required pam_ldap.so.1
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1
  # Kerberized rlogin service
  krlogin auth required pam_unix_cred.so.1
  krlogin auth required pam_krb5.so.1
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  rsh auth binding pam_unix_auth.so.1 server_policy
  rsh auth required pam_ldap.so.1
  # Kerberized rsh service
  krsh auth required pam_unix_cred.so.1
  krsh auth required pam_krb5.so.1
  # Kerberized telnet service
  ktelnet auth required pam_unix_cred.so.1
  ktelnet auth required pam_krb5.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authentication
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth required pam_unix_cred.so.1
  other auth binding pam_unix_auth.so.1 server_policy
  other auth required pam_ldap.so.1
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy
  passwd auth required pam_ldap.so.1
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1 force_check
  other password required pam_authtok_store.so.1 server_policy
  # Support for Kerberos V5 authentication and example configurations can
  # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
  ppp auth required pam_unix_cred.so.1
  ppp auth required pam_unix_auth.so.1
  I did create a .ldif file for a profile. Output seems similar to what I entered in the manual ldapclient command. Reading up more on that now and the schema updates you recommended. I wanted to make sure I sent you the updated pam.conf though as this seems to match those found online in style for pre-Solaris 11. The first copy was what I transferred from a working Solaris 11 server I had running here.
  Thanks,
  Ted

• Solaris 10 LDAP Clients Intermittently Fail

  I'm working on a rather puzzling issue with some of our Solaris 10 systems authenticating against DSEE 6.3. These clients previously worked without issue but starting last week SSH connections would hang for a few minutes and then start working again. This never happened on more than one system at a time.
  I found the following messages in /var/adm/messages during the time we have these problems:
  Apr 27 08:04:57 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
  Apr 27 08:05:47 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
  ... many of these
  Apr 27 08:10:07 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
  Apr 27 08:10:17 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
  Apr 27 08:10:31 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (81): Can't contact LDAP server.
  To test connectivity to the LDAP server I have a ldapsearch running every 15 seconds an logging the time it took and checking for correct results. during the time that I see the libsldap messages and ssh connections are hanging, the ldapsearch command continues to run fine without slowing down.
  A final note is that all three of the problem systems are on the same subnet and systems outside of this subnet aren't having any problems with the same configuration. My first thought was the firewall but ldapsearch continues to work.
  Does anyone know if nscd tries to keep the LDAP connection open. Looking at the logged messages it appears as though it gives up after 5 minutes or so, throws the LDAP ERROR (81) and then starts to work again.
  Any ideas would be appreciated. This one is making me crazy (crazier).
  Thanks.

  rukbat wrote:
  Has anything changed in that time frame?
  Any physical changes such as office-moves? new hires? lay-offs?
  Could there have been any modifications to the networking hardware such as lengthening the cabling? Is it possible to re-route the subnet to different switches or to different posts on the switches? You might consider snooping the traffic to watch how it traverses the paths to the LDAP server.
  If there are other systems on the subnet, do they experience any sort of timeouts ( even if it is to unrelated tasks such as database access or surfing to the Intranet/Internet ) ?
  ... just random thoughts from a hardware perspective.Given that this started after a maintenance night I'm sure you are correct and something changed. However there are no changes in the maintenance plan that could cause this and nobody will own up to any additional changes. This leaves it to me to try to find what is causing the failure so I can get it corrected.
  These are the only three Unix systems on that subnet and they are all experiencing the problem so I don't have anything that is working to compare them to except for the other systems that aren't on that subnet. The other systems are working fine with the same configuration. That's why I'm thinking that it is something external to the problem systems.
  Given that all other services on these systems are working, I'm not currently exploring a hardware type failure.
  I've been running pfiles on nscd and it appears that it is indeed holding a connection to the LDAP server open (if I'm reading it correctly). The inode assocated with #8 hasn't changed. So my current theory is that maybe the firewall is killing off long connections after a while. This appears to be consistent with the log entries where I get many ERROR (85) and then a final (81). I'm thinking that after the ERROR 81, it re-opens the connection. Just guesses though.
  8: S_IFSOCK mode:0666 dev:329,0 ino:3753 uid:0 gid:0 size:0
  O_RDWR|O_NONBLOCK
  SOCK_STREAM
  SO_SNDBUF(49152),SO_RCVBUF(49680),IP_NEXTHOP(0.0.194.16)
  sockname: AF_INET6 ::ffff:10.1.50.50 port: 42758
  peername: AF_INET6 ::ffff:10.1.52.25 port: *636*

• Ssh public keys in LDAP

  Perhaps my question is answered elsewhere in these forums, but I have not been able to find it.
  My question is... Is it possible for LDAP accounts to login to a solaris 10 box using public key authentication with the sun native ssh server/client when the ssh keys are also in LDAP? I am currently using the following software...
  Sun Directory server 6.3.1
  Sun_SSH_1.1
  Solaris 10
  I have read on a possible openssh solution with openldap but to convert to an open solution is not a possibility.
  I am not looking to implement kerberos either.
  Thank you for any response.
  Joe

  SSH keys are driving me a little crazy too. I would agree that it would be quite nice to get some type of central repository for them. Unfortunately I have nothing to offer in this regard...

• Solaris ldap client problem (tls:simple + anonymous)

  Hi All,
  I've installed Directory Server 6.3.1 and it works just fine,
  but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
  Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
  More detail.
  Profile:
  dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
  authenticationmethod: tls:simple
  bindtimelimit: 10
  cn: sslnoproxyuser
  credentiallevel: anonymous
  defaultsearchbase: dc=domain,dc=com
  defaultsearchscope: one
  defaultserverlist: servername.domain.com
  followreferrals: TRUE
  objectclass: top
  objectclass: DUAConfigProfile
  preferredserverlist: servername.domain.com
  profilettl: 43200
  searchtimelimit: 30
  Ldapclient output:
  bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
  Parsing profileName=sslnoproxyuser
  Arguments parsed:
  profileName: sslnoproxyuser
  defaultServerList: servername.domain.com
  Handling init option
  About to configure machine by downloading a profile
  findBaseDN: begins
  findBaseDN: ldap not running
  findBaseDN: calling __ns_ldap_default_config()
  found 2 namingcontexts
  findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
  rootDN[0] dc=domain,dc=com
  found baseDN dc=domain,dc=com for domain domain.com
  Proxy DN: NULL
  Proxy password: NULL
  Credential level: 0
  Authentication method: 3
  No proxyDN/proxyPassword required
  About to modify this machines configuration by writing the files
  Stopping network services
  Stopping sendmail
  stop: sleep 100000 microseconds
  stop: network/smtp:sendmail... success
  Stopping nscd
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: system/name-service-cache:default... success
  Stopping autofs
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: sleep 400000 microseconds
  stop: sleep 800000 microseconds
  stop: sleep 1600000 microseconds
  stop: sleep 3200000 microseconds
  stop: system/filesystem/autofs:default... success
  ldap not running
  nisd not running
  nis(yp) not running
  file_backup: stat(/etc/nsswitch.conf)=0
  file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
  file_backup: stat(/etc/defaultdomain)=0
  file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
  file_backup: stat(/var/nis/NIS_COLD_START)=-1
  file_backup: No /var/nis/NIS_COLD_START file.
  file_backup: nis domain is "domain.com"
  file_backup: stat(/var/yp/binding/domain.com)=-1
  file_backup: No /var/yp/binding/domain.com directory.
  file_backup: stat(/var/ldap/ldap_client_file)=-1
  file_backup: No /var/ldap/ldap_client_file file.
  Starting network services
  start: /usr/bin/domainname domain.com... success
  start: sleep 100000 microseconds
  start: network/ldap/client:default... maintenance
  start: sleep 100000 microseconds
  start: system/filesystem/autofs:default... success
  start: sleep 100000 microseconds
  start: system/name-service-cache:default... success
  start: sleep 100000 microseconds
  start: network/smtp:sendmail... success
  restart: sleep 100000 microseconds
  restart: sleep 200000 microseconds
  restart: milestone/name-services:default... success
  Error resetting system.
  Recovering old system settings.
  Stopping network services
  Stopping sendmail
  stop: sleep 100000 microseconds
  stop: network/smtp:sendmail... success
  Stopping nscd
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: system/name-service-cache:default... success
  Stopping autofs
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: sleep 400000 microseconds
  stop: sleep 800000 microseconds
  stop: sleep 1600000 microseconds
  stop: sleep 3200000 microseconds
  stop: system/filesystem/autofs:default... success
  Stopping ldap
  stop: network/ldap/client:default... restoring from maintenance state
  stop: sleep 100000 microseconds
  stop: network/ldap/client:default... success
  nisd not running
  nis(yp) not running
  recover: stat(/var/ldap/restore/defaultdomain)=0
  recover: open(/var/ldap/restore/defaultdomain)
  recover: read(/var/ldap/restore/defaultdomain)
  recover: old domainname "domain.com"
  recover: stat(/var/ldap/restore/ldap_client_file)=-1
  recover: stat(/var/ldap/restore/ldap_client_cred)=-1
  recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
  recover: stat(/var/ldap/restore/domain.com)=-1
  recover: stat(/var/ldap/restore/nsswitch.conf)=0
  recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
  recover: stat(/var/ldap/restore/defaultdomain)=0
  recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
  Starting network services
  start: /usr/bin/domainname domain.com... success
  start: sleep 100000 microseconds
  start: system/filesystem/autofs:default... success
  start: sleep 100000 microseconds
  start: system/name-service-cache:default... success
  start: sleep 100000 microseconds
  start: network/smtp:sendmail... success
  restart: sleep 100000 microseconds
  restart: milestone/name-services:default... success
  */var/ldap/cachemgr.log*
  Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
  Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
  Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
  Any ideas?
  Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
  Edited by: ffffffffff356dfd on 30 ???? 2009 12:07

  Hi ,
  yes I use it.
  Here is my pam.conf:
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_dial_auth.so.1
  login auth binding pam_unix_auth.so.1 server_policy
  login auth required pam_ldap.so.1
  # rlogin service (explicit because of pam_rhost_auth)
  # rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  # rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  rsh auth binding pam_unix_auth.so.1 server_policy
  rsh auth required pam_ldap.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authentication
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth required pam_unix_cred.so.1
  other auth binding pam_unix_auth.so.1 server_policy
  other auth required pam_ldap.so.1
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy
  passwd auth required pam_ldap.so.1
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1
  other account required pam_ldap.so.1
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1 server_policy
  # Support for Kerberos V5 authentication and example configurations can
  # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
  #

• ASA 8.4+ RSA Public Key for SSH user authentication

    I have seen in the configuration guide and a separate post in the support community that RSA Public Key authentication is support for SSH sessions in 8.4 and after.  I have tried implementing this on both an 8.4 ASA and a 9.1 ASA and I get the same error on both.  I have tried specifying SSH version 2 to see if that is the issue but I still get the error.  Is there a step I am missing?
  Here is the output of the configuration commands:
  ciscoasa(config)#username test nopassword privilege 15
  ciscoasa(config)#username test attributes
  ciscoasa(config-username)# ssh authentication publickey
                               ^
  ERROR: % Invalid Hostname
  The links referenced above:
  https://supportforums.cisco.com/thread/2150480
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1053558
  http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_servers.html#wp1176050
  Thanks!

  That would be great if the resolution was that simple.  I am using a public key I generated using the putty key generator.  Below is the key I would use if I got that far.  However I get an error on the "ssh authentication publickey" attribute so I never get the chance to enter a public key.  What code version and hardware version are you running that this worked on?
  AAAAB3NzaC1yc2EAAAABJQAAAIEA2h00RCKBbpbrTWSe/3TYAvRpkJz7tLwQDCf9
  4fDJUWUGrmxXHeomuBhNGZh7tyfFjRL2CKY6nWmFyKN/eDm0PF4IWhhCArzOPVDu
  q7Nu2y/pD8wWH8dH4a3zRpkLSekNJtH6lzuqmY0zqz9TnZlpS6g4LI1a+lOGSmhU
  /HySw9s=
  ciscoasa(config)#username test nopassword privilege 15
  ciscoasa(config)#username test attributes
  ciscoasa(config-username)#ssh ?
  configure mode commands/options:
    Hostname or A.B.C.D  The IP address of the host and/or network authorized to
                         login to the system
    X:X:X:X::X/<0-128>   IPv6 address/prefix authorized to login to the system
    scopy                Secure Copy mode
    timeout              Configure ssh idle timeout
    version              Specify protocol version to be supported
  exec mode commands/options:
    disconnect  Specify SSH session id to be disconnected after this keyword
  ciscoasa(config-username)# ssh
  ciscoasa(config-username)# sh ver | in Ver
  Cisco Adaptive Security Appliance Software Version 9.1(1)
  Device Manager Version 7.1(1)52
  ciscoasa(config-username)#

• SSH public key issue?

  Hi all,
  I've been trying to set up public key authentication for SSH recently, and have come across a problem which has left me stumped. I want to be able to SSH into computer A (iBook G4, 10.5.1) from computer B (iMac G4, 10.5.0), and vice versa. At the moment, both these machines are on the same LAN, and SSH-ing to their respective local addresses works fine - A can connect to B, and B can connect to A (e.g. ssh -l username computerA.local). So far so good.
  The end goal is to allow SSH access between my two machines over the web, using No-ip.com's dynamic DNS app. Both machines have this daemon installed and running. When SSh-ing to the machines using their no-ip DNS names (e.g. ssh -l username computerA.no-ip.org) for some reason connecting from B to A works fine, but from A to B throws up a "Permission denied (publickey)" error.
  As far as I'm aware, I've set up all the ssh_config and sshd_config files on both machines correctly, specifying the correct protocols and key files, and neither machine is firewalled. Both are running OpenSSH 4.5p1.
  Can anyone think of a reason why this is happening?
  Thanks in advance,
  Pete

  Are both A and B behind the same home router? If so, it is likely that both the computerA.no-ip.org IP address is the same as the computerB.no-ip.org IP address, and you have only configured your home router to forward ssh connections to computerA.no-ip.org.
  You home router would typically only have 1 internet WAN IP address. The no-ip client is going to figure out the router's WAN IP address and give that address to computerA.no-ip.org and computerB.no-ip.org DNS names.
  If my guess is correct, then when telling A to connect to B, the name lookup for B gives an IP address which is your router, and your router then forwards port 22 traffic to back to A, and since you most likely have not put A's ssh .pub key into A's .ssh/authorized_key2 file, it fails to connect.
  One way to verify my guess is to ask http://whatismyip.com from both A and B. If you get the same IP address, then computerA.no-ip.org and computerB.no-ip.org DNS names will have the same IP address and thus from the DNS name level there is no way to tell the difference between computerA.no-ip.org and computerB.no-ip.org.
  Again, if I am correct, then what you want to do is configure your router to
  forward port 22100 to A port 22
  forward port 22101 to B port 22
  Then when you want to make an ssh connection use
  ssh -p 22100 [email protected]
  ssh -p 22101 [email protected]