login about faq

Hello, I'm trying to nest authentications Public Key and LDAP using PAM my config file looks like this:

<authentication name="public-key-auth" action="allow" password-cache="no">
  <auth-publickey />
    <authentication name="domain-auth" action="allow" >
      <submethod-pam dll-path="/lib/security/pam_ldap.so"/>

When I try to connect to the ssh server I see 5 events in the syslog

  1. ssh-server-g3: 400 Connect (has my ip address and other connection info)
  2. ssh-server-g3: 1002 Algorithm_negotiation_success,"kex_algorithm=diffie-hellman-group-exchange-sha256, hostkey_algorithm=ssh-rsa, cipher=aes128-ctr/aes128-ctr, mac=hmac-sha1/hmac-sha1, compression=none/none", Session-Id: 3
  3. ssh-server-g3: 1003 KEX_success, Algorithm: diffie-hellman-group-exchange-sha256, Modulus: 2048 bits, Session-Id: 3, Protocol-session-Id: FAF....(long hash removed)...47F
  4. ssh-server-g3[26507]: /opt/tectia/libexec/ssh-servant-g3: symbol lookup error: /usr/lib/libssl.so.0.9.8: undefined symbol: EVP_camellia_128_cbc
  5. ssh-server-g3[26507]: 110 Servant_exited, Pid: 26573, Error: Generic error, Exit Value: 127

I followed the PAM info in this link and I can successfully run

getent passwd Domain\UserName

so it seems that LDAP is working

Any Suggestions on why this is not working? I'm using Suse Linux 11 SP3 and the latest version of tectia

asked Apr 10 '14 at 11:17

Matt's gravatar image


edited Apr 10 '14 at 11:20

Check the known issues in release notes, please. It talks about something similar:

- Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is 
installed, it may fail when using PAM with software that uses that OpenSSL
Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under
/opt/tectia/sshlib to another name (note that this will make FIPS mode 

Let us know if it helps, please.


answered Apr 10 '14 at 12:02

Martin%20Dobsik's gravatar image

Martin Dobsik

I removed libcrypto.so.0.98 in /opt/tectia/lib/shlib and I'm now getting this error in my logs

PAM_AUTHINFO_UNAVAIL and nss_ldap: could not search LDAP server - Server is unavailable

so it seems i'm missing something in my LDAP settings. I'll check them and report back.

(Apr 10 '14 at 12:36) Matt Matt's gravatar image

Hi Martin... I was not able to get pam_ldap to work. I ended up going with pam_krb5 and I'm restricting logins using the .k5login file.

(Apr 14 '14 at 23:34) Matt Matt's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Apr 10 '14 at 11:17

Seen: 4,641 times

Last updated: Apr 14 '14 at 23:34

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.