<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Why not use the pam integration to LDAP through your /etc/pam.d/system-auth and/or sshd files. In that way, let pam manage the communication with LDAP on behalf of SSH.</div><div><br></div><div>There's also some real cool features of group-based authentication/access in /etc/security/access.conf you should look at. It's the first time I've had opportunity to use it and is quite nice.</div><div><br></div><div>It seems a little redundant to not just tie pam in rather than tying both pam and sshd in.</div><div><br></div><div>Or, maybe I'm not understanding the way you're implementing. Could you expand a little on that? (I'm doing the same thing for CNN right now)</div><div><br></div><div><br></div><div>--j</div><div><br></div><div><br></div><br><div><div>On Mar 19, 2009, at 6:48 AM, Kenneth Ratliff wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Mar 18, 2009, at 10:04 PM, Jim Kinney wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>cool idea: park ssh pub keys in ldap for large installation.<br><br><a href="http://code.google.com/p/openssh-lpk/">http://code.google.com/p/openssh-lpk/</a><br></div></blockquote></div><br><div><br></div><div>Yeah this occurred to me when I was busy integrating my home network with LDAP to get everything to single signon. There's just something about patching OpenSSH that makes me unhappy, though.</div><div><br></div></div>_______________________________________________<br>Ale mailing list<br><a href="mailto:Ale@ale.org">Ale@ale.org</a><br><a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br></blockquote></div><br></body></html>