[ale] ssh + ldap
Kenneth Ratliff
lists at noctum.net
Thu Mar 19 08:51:48 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mar 19, 2009, at 8:21 AM, Jerald Sheets wrote:
> Why not use the pam integration to LDAP through your /etc/pam.d/
> system-auth and/or sshd files. In that way, let pam manage the
> communication with LDAP on behalf of SSH.
>
> There's also some real cool features of group-based authentication/
> access in /etc/security/access.conf you should look at. It's the
> first time I've had opportunity to use it and is quite nice.
>
> It seems a little redundant to not just tie pam in rather than tying
> both pam and sshd in.
>
> Or, maybe I'm not understanding the way you're implementing. Could
> you expand a little on that? (I'm doing the same thing for CNN
> right now)
I actually am using PAM, if I ssh in with a user that's not local, it
authenticates them through LDAP via PAM, creates their home directory,
etc etc.
However, near as I can tell, sshd totally ignores PAM when you're
trying to use keys and it will always look at ~/.ssh/
authorized_keys(2) when trying to match a public key, and then prompt
for a password if it can't find one (assuming you haven't disabled
interactive logins)
If you know of a way to force sshd to do public key auth to ldap via
PAM without having to patch openssh, i'd love to hear it
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iEYEARECAAYFAknCP+cACgkQXzanDlV0VY748ACgpdcFNqf5lyzSBP0JSTaZbdGm
mI8AoNZa0wOhVnnWGvFoRjQbGJsKFHM9
=/quA
-----END PGP SIGNATURE-----
More information about the Ale
mailing list