1

To configure sssd to connect AD server. I set id_provider to ldap

As AD server cannot accept TLS, so I closed it by:

  1. ldap_id_use_start_tls = false
  2. set ssl off in ldap.conf

When I use login ftp via domain account, it works. But it failed for ssh.

I compared the TCPdump between ftp and ssh. I found the password are different in bindrequest between ftp and ssh. It seems ssh encrypted the password, so that pam_sss got the wrong password from PAM stack.

Encrypted Password as below: simple: \b\n\r\177INCO

If it's possible to change it to plaintext password for ssh?

user929572
  • 11
  • 1

1 Answers1

0

What you're seeing here isn't an encrypted password, it's from sshd, specifically:

const char junk[] = "\b\n\r\177INCORRECT";

Before sshd tries to authenticate with PAM, it calls getpwnam() to check if the user is valid. If not, it'll replace the entered password with a portion of the junk string, then validate the user/junk password with PAM.

What (I'm fairly certain) ended up being my problem was nscd. When I stopped that service, getpwnam worked, and the correct password was sent to the LDAP backend. I had nscd already installed, and without a restart, it was not checking LDAP for user queries. An easy way to test getpwnam calls from the command line would be to run id username or getent passwd username. But be careful, running getent passwd and looking for an expected username will work, even when the user-specific commands don't.

Mike Tillberg
  • 1
  • Your answer appears to me like you were the person who did the original question. Should that really be the case, you should visit https://serverfault.com/help/merging-accounts . – A.B May 06 '23 at 11:15
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 17 '23 at 10:41