[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-shell
Subject: Re: ssh, pam, and ldap
From: Richard Ray <rray () mstc ! state ! ms ! us>
Date: 2009-01-27 22:59:44
Message-ID: Pine.LNX.4.64.0901271656240.4506 () rray ! drdc ! mstc ! ms ! gov
[Download RAW message or body]
On Tue, 27 Jan 2009, Jesse C. Waters wrote:
> Richard Ray wrote:
>> I have configured pam to authenticate ssh via ldap
>> No problems with that
>> How can I configure pam/ssh to use ldap for certain accounts only and unix
>> password for other accounts
>>
>> Running CentOS 5.2
>>
>> Thanks
>> Richard Ray
>>
>>
> that is controlled with your /etc/nsswitch.conf
>
> passwd files ldap
> group files ldap
>
> check if user exists in /etc/passwd 1st, then ldap
>
> so if you have a local account joe and an ldap account joe, it should use
> local account 1st. if you flip it around passwd ldap files then vs.
>
> to restrict certain ldap groups to logging in you need add "pam_groupdn" to
> your ldap.conf file.
>
> All these relate to pam & ldap configurations, I am not a pam expert. Test
> your configs, make sure you didn't allow anyone into your system as root
> without a passwd. (did that once, glad it was a vm).
I am no pam expert but this is what I came up with
Create a local group ldap_users
Add users to ldap_users that will authenticate via ldap
This is my /etc/pam.d/sshd
auth required pam_nologin.so
auth required pam_localuser.so
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_succeed_if.so debug user ingroup ldap_users
auth sufficient /lib/security/pam_ldap.so
auth required pam_deny.so
account required pam_nologin.so
account sufficient /lib/security/pam_ldap.so
account include system-auth
password sufficient /lib/security/pam_ldap.so
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
It works for me
I would appreciate a bit of scrutiny
Richard
>
> HTH,
>
> Jesse Waters
>
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic