[ale] ssh + ldap

Kenneth Ratliff lists at noctum.net
Thu Mar 19 08:51:48 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Mar 19, 2009, at 8:21 AM, Jerald Sheets wrote:

> Why not use the pam integration to LDAP through your /etc/pam.d/ 
> system-auth and/or sshd files.  In that way, let pam manage the  
> communication with LDAP on behalf of SSH.
>
> There's also some real cool features of group-based authentication/ 
> access in /etc/security/access.conf you should look at.  It's the  
> first time I've had opportunity to use it and is quite nice.
>
> It seems a little redundant to not just tie pam in rather than tying  
> both pam and sshd in.
>
> Or, maybe I'm not understanding the way you're implementing.  Could  
> you expand a little on that?  (I'm doing the same thing for CNN  
> right now)

I actually am using PAM, if I ssh in with a user that's not local, it  
authenticates them through LDAP via PAM, creates their home directory,  
etc etc.

However, near as I can tell, sshd totally ignores PAM when you're  
trying to use keys and it will always look at ~/.ssh/ 
authorized_keys(2) when trying to match a public key, and then prompt  
for a password if it can't find one (assuming you haven't disabled  
interactive logins)

If you know of a way to force sshd to do public key auth to ldap via  
PAM without having to patch openssh, i'd love to hear it


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iEYEARECAAYFAknCP+cACgkQXzanDlV0VY748ACgpdcFNqf5lyzSBP0JSTaZbdGm
mI8AoNZa0wOhVnnWGvFoRjQbGJsKFHM9
=/quA
-----END PGP SIGNATURE-----



More information about the Ale mailing list