pam_ccreds
Scott Ryan
scott at staff.telkomsa.net
Fri Apr 22 10:50:37 UTC 2005
Hi, I am trying to get disconnected login working using pam_ccreds. I
have setup ldap authentication and patched ssh to obtain the user's keys
also stored in ldap.
When ldap is available, it works, users can login with no problems. When
ldap is not available, I have a local script to collect the ssh keys
from ldap and store them locally on the individual hosts. I also set
nsswitch.conf to use - files ldap db. My /etc/pam.d/system-auth is set
to use pam_ccreds and to top it off I use nss_updatedb to obtain passwd
and group info from ldap and cache it in /var/db every hour
ok, here is the issue: When ldap is not available, sshd can get the key
locally, but then pam_ldap fails and causes fatal error so the users
cannot login.
However if i run getent passwd <user> or getent group <group>, when ldap
is not available, information is returned.
I read this article:
http://fcp.homelinux.org/modules/newbb/viewtopic.php?
topic_id=6757&viewmode=flat&order=ASC&start=0
(half way down the page) which leads me to believe that it can be done,
just a matter of how...
here is my system-auth file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
#auth sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok
#auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
#auth required /lib/security/$ISA/pam_deny.so
auth [user_unknown=ignore authinfo_unavail=ignore
authtok_err=ignore default=done] pam_unix.so
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
use_first_pass
auth [default=done] pam_ccreds.so action=validate
use_first_pass
auth [default=done] pam_ccreds.so action=store
auth optional pam_ccreds.so action=update
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok
user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
minlen=8 lcredit=-1ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
session optional pam_mkhomedir.so
any help would be very much appreciated
--
Regards,
slr +++ ISP Systems Specialist +++ Telkom Internet +++
key: 0x0B65ABDC - http://wwwkeys.pgp.net:11371
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT/MU/E d? s+:+ a- C++++>+++++ USL++++$ P++++ !E(---)W+@ !N
o?(--) K? !w(---) O- M+ V PS+@ PE Y-- PGP++>+++ !t(---) !5 !X
R-- !tv b(++) DI++ !D(----) G+++>++++ e++>* h----(*) r+++ y++++
------END GEEK CODE BLOCK------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050422/dc400b79/attachment-0001.sig>
More information about the fedora-list
mailing list