Hi, I am working on the following SSH solution and I need some help: 1. User ssh against my node where he/she does not have an account 2. Firstly the node synchronize its user database from a remote db with ldap. (just refresh the database, no authentication here) 3. Authenticate the user with a PAM module I am using my synchronisation script as a PAM module but it seems that the authentication PAM module cannot authenticate the user if user is created in the previous PAM module. (my guess is authctxt contains bad values -> fakepw) Is there any working solution or I have to hack auth1.c in order to do the synchronization before user verification? BR, zgabe
On Tue, Nov 22, 2011 at 08:57:53 -0600, G?bor Z?ld wrote:> Hi, > > I am working on the following SSH solution and I need some help: > 1. User ssh against my node where he/she does not have an account > 2. Firstly the node synchronize its user database from a remote db > with ldap. (just refresh the database, no authentication here) > 3. Authenticate the user with a PAM module > > I am using my synchronisation script as a PAM module but it seems that > the authentication PAM module cannot authenticate the user if user is > created in the previous PAM module. (my guess is authctxt contains bad > values -> fakepw) > Is there any working solution or I have to hack auth1.c in order to do > the synchronization before user verification? >This might be a bit easire to answer if you indicated which OS and PAM modules you are using. But since you didn''t, I''ll assume some variant of Linux and pam_ldap. The eszsiest thing would be to use pam_ldap to query LDAP directly for the account information. However, I presume you''ve already considered and rejected that approach for some reason. In our environment, the PAM stack is configured to query LDAP directly. For various reasons, we also synchronize /etc/{passwd,shadow,group} with LDAP. This is done via a cronjob rather than being triggered by a user login attempt. -- Iain Morgan
G?bor Z?ld <zgabe84 at gmail.com> writes:> I added the following line to /etc/pam.d/sshd to retrieve account > information and I modified nsswitch too.(passwd: files ldap, group: > files ldap) > account required /usr/local/lib/pam_ldap.soThe "account" service is not used to "retrieve account information". It is used after authentication has succeeded to determine whether the account is valid, whether a password change is required etc. PAM only provides authentication and authorization; NSS is responsible for identification. Greatly simplified, identification is "who is Joe Bloggs?", authentication is "can you prove that you're Joe Bloggs?" and authorization is "is Joe Bloggs allowed to do this?" The following article is a decent introduction to PAM: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/article.html DES -- Dag-Erling Sm?rgrav - des at des.no