Document Actions

School of Engineering Computing Support - SSH Access with LDAP

This document details the steps to configuring an Ubuntu Gutsy server to allow people with UC Merced network accounts access via SSH.

Overview

 

UC Merced network accounts give access to a wide variety of systems using a single id/password combination. This document describes the steps needed to configure an Ubuntu Gutsy (version 7.10) server to give access to UC Merced network account holders via SSH.

In addition to having the standard account, persons who will access Linux or Unix servers must have a POSIXAccount object in their LDAP records. UC Merced's IT department controls the assignment of POSIXAccount objects. Their current policy is to automatically add them to incoming personnel who are in the School of Engineering. This includes students, staff, and faculty.

Summary

The following packages will be installed:

openssh-server
libpam-ldap
nscd

The following files will be modified:

/etc/nsswitch.conf
/etc/ldap.conf
/etc/pam.d/ssh
/etc/pam.d/common-session
/etc/pam.d/common-password
/etc/ssh/sshd_config

Setup

nsswitch.conf should be modified before installing nscd. If nscd has already been installed, it must be restarted after nsswitch.conf has been modified.

  • In /etc/nsswitch.conf, add "ldap" to the passwd: and group: lines:
passwd:         files ldap
group:          files ldap
  • If nscd is already installed, restart it.
# /etc/init.d/nscd restart
  • Install the packages.
  • Note: You will be asked about LDAP configuration. The answers you give do not matter, because we are going to overwrite the LDAP configuration file.
apt-get install openssh-server libpam-ldap nscd
  • Put the following text as the entire content of /etc/ldap.conf. Note that a password is required, which is not provided in this document. You must put the password in /etc/ldap.conf as well. This password was initially provided by IT.
# This is the ldap.conf file to allow an Ubuntu system to use UC Merced's
# LDAP server to authenticate users.

uri ldap://ldap.ucmerced.edu/
base dc=ucmerced,dc=edu
ldap_version 3

# The server will cooperate without TLS, but that means you'd be sending the bindpw
# in the clear. It is preferable to encrypt, so:
ssl start_tls

# This setting is currently required. TODO: install some certs so that we can
# verify that the server is who we expect it to be.
tls_checkpeer no

# The server will not cooperate unless we authenticate as follows:
binddn uid=engadmin,ou=Special Users,dc=ucmerced,dc=edu
bindpw SECRETPASSWORD

Make sure it cannot be viewed:

chmod 600 /etc/ldap.conf
  • Insert the following into /etc/pam.d/sshd:
# PAM configuration for the Secure Shell service

auth    sufficient      pam_ldap.so
account sufficient      pam_permit.so
  • Insert the following into /etc/pam.d/common-session: cause home directories to be created when someone first logs in.
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
  • Change the entries in /etc/pam.d/common-password as follows. These should be the only uncommented lines in that file:
password optional pam_echo.so Please visit https://idm.ucmerced.edu/ to change your password.
password required pam_deny.so
  • In /etc/ssh/sshd_config, ensure that password authentication is ok. Comment out "PasswordAuthentication no" (or set it to "yes").
#PasswordAuthentication no
  • Restart sshd.
# /etc/init.d/ssh restart

Troubleshooting

If you cannot log in, and in the server's /var/log/auth.log you see:

Feb 12 21:25:22 localhost sshd[32179]: Invalid user username from ip-address
Feb 12 21:25:22 localhost sshd[32179]: Failed none for invalid user username from ip-address port 48383 ssh2

The key element of the above log entries is "invalid user". This means that the name service could not identify the user. (As a result, sshd will refuse to provide the actual password to the LDAP PAM module. But even if it did, you still wouldn't be able to log in.)

The solution is as follows:

  1. Set up /etc/nsswitch.conf as described above.
  2. If you are using nscd, restart it:
/etc/init.d/nscd restart

Further reading