Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
ssh, pam, and ldap
rray at mstc
Jan 18, 2009, 7:07 AM
Post #1 of 3 (5536 views)
Permalink
I have configured pam to authenticate ssh via ldap
No problems with that
How can I configure pam/ssh to use ldap for certain accounts only and unix
password for other accounts

Running CentOS 5.2

Thanks
Richard Ray
Re: ssh, pam, and ldap [ In reply to ]
jwaters at triad
Jan 27, 2009, 2:43 PM
Post #2 of 3 (5322 views)
Permalink
Richard Ray wrote:
> I have configured pam to authenticate ssh via ldap
> No problems with that
> How can I configure pam/ssh to use ldap for certain accounts only and
> unix password for other accounts
>
> Running CentOS 5.2
>
> Thanks
> Richard Ray
>
>
that is controlled with your /etc/nsswitch.conf

passwd files ldap
group files ldap

check if user exists in /etc/passwd 1st, then ldap

so if you have a local account joe and an ldap account joe, it should
use local account 1st. if you flip it around passwd ldap files then vs.

to restrict certain ldap groups to logging in you need add "pam_groupdn"
to your ldap.conf file.

All these relate to pam & ldap configurations, I am not a pam expert.
Test your configs, make sure you didn't allow anyone into your system as
root without a passwd. (did that once, glad it was a vm).

HTH,

Jesse Waters
Re: ssh, pam, and ldap [ In reply to ]
rray at mstc
Jan 27, 2009, 2:59 PM
Post #3 of 3 (5347 views)
Permalink
On Tue, 27 Jan 2009, Jesse C. Waters wrote:

> Richard Ray wrote:
>> I have configured pam to authenticate ssh via ldap
>> No problems with that
>> How can I configure pam/ssh to use ldap for certain accounts only and unix
>> password for other accounts
>>
>> Running CentOS 5.2
>>
>> Thanks
>> Richard Ray
>>
>>
> that is controlled with your /etc/nsswitch.conf
>
> passwd files ldap
> group files ldap
>
> check if user exists in /etc/passwd 1st, then ldap
>
> so if you have a local account joe and an ldap account joe, it should use
> local account 1st. if you flip it around passwd ldap files then vs.
>
> to restrict certain ldap groups to logging in you need add "pam_groupdn" to
> your ldap.conf file.
>
> All these relate to pam & ldap configurations, I am not a pam expert. Test
> your configs, make sure you didn't allow anyone into your system as root
> without a passwd. (did that once, glad it was a vm).

I am no pam expert but this is what I came up with
Create a local group ldap_users
Add users to ldap_users that will authenticate via ldap
This is my /etc/pam.d/sshd

auth required pam_nologin.so
auth required pam_localuser.so
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_succeed_if.so debug user ingroup ldap_users
auth sufficient /lib/security/pam_ldap.so
auth required pam_deny.so
account required pam_nologin.so
account sufficient /lib/security/pam_ldap.so
account include system-auth
password sufficient /lib/security/pam_ldap.so
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth

It works for me
I would appreciate a bit of scrutiny

Richard


>
> HTH,
>
> Jesse Waters
>
>
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal