Tiny Core Linux
Tiny Core Base => TCB Q&A Forum => Topic started by: |eric| on January 03, 2017, 12:37:02 AM
-
hi
i'm trying to enable ldap authentication both on ssh and console but apparently busybox and the initrd configuration is preventing this from working. tried encrypting the password as SHA and SSHA to no avail in JXplorer. it looks like its not even authenticating against ldap tried both local and ssh ( openssh dosen't even suport pam aparently in this build)
i tried this from the openldap server as well as another node on the network same issue (with older tinycore ... 6.3 x64 as well)
here is a few config files
/etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
rpc: files
services: files
/usr/local/ldap.conf
BASE dc=ericsolutions, dc=info
scope sub
suffix "dc=mydomain,dc=info"
## when you want to change user's password by root
rootbinddn cn=admin,dc=mydomain,dc=info
## *** replaced my real domain name with mydomain above ***
## there are needed when your ldap dies
timelimit 5
bind_timelimit 5
uri ldap://10.0.1.4/
pam_password <stripped this but i tried plain text no info on this>
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=Computers,dc=cognifide,dc=pl
nss_base_passwd ou=People,dc=cognifide,dc=pl
nss_base_shadow ou=People,dc=cognifide,dc=pl
nss_base_group ou=Group,dc=cognifide,dc=pl
nss_base_hosts ou=Hosts,dc=cognifide,dc=pl
/usr/local/etc/pam.d/system-auth
#system-authentication
auth required pam_env.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so nullok
auth required pam_deny.so
account sufficient pam_ldap.so
account required pam_unix.so
password sufficient pam_ldap.so
password sufficient pam_unix.so use_authtok nullok sha512
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
/usr/local/etc/ssh/sshd_config
i stripped all the comments for readability ;)
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
#UsePAM yes <<< this option is not valid but was in orig. config file.
PAMAuthenticationViaKbdInt yes
Subsystem sftp /usr/local/lib/openssh/sftp-server
sorry for big post :-/
-
Neither our busybox or ssh builds support PAM, as it would just be wasted size for most users. You'll likely need custom builds of those, and perhaps other packages to be able to log in via ldap.
-
exactly what i was afraid of :-/
darn ... gona have to make my own distro ... gona call it bloated core :P
looks like tiny core is "almost" perfect for minimalistic servers ... its odd that there is a pam tcz tought i would have tought that installing bash and coreutils and binutils would do the trick but aparently not either :-(
-
you misunderstand: you don't need to make your own distribution to allow this.
you can just make suited packages and submit them as an addition to the already existing packages.
e.g. openssh-pam.tcz
this way the user can choose if he wants it.