ssh public keys and pam
Daniel Jacober
daniel.jacober at gmail.com
Sat Oct 15 23:13:50 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all
After studying documentation and searching google for several hours
I'm posting this message here with the hope to find someone being able
to answer my questions.
Here's what I'm trying to do:
I would like to store my public keys centrally on an LDAP - Server and
redirect public key authentication with PAM to the LDAP - Server. I
read on
http://www.opensolaris.org/jive/thread.jspa?threadID=614&tstart=15
that there are some issues with pam_ldap - module and public key login
so therefore I decided to write my own module.
The only trouble is I can do what ever I want, I can't get the key
sent by the ssh-client into my pam module. It seems as ssh completely
ignores pam when I make login with public keys. If I put
authorized_keys - file in place, the login succeeds without taking
notice of the pam modules. If I remove the files I can't get hold of
the public keys.
I read in a news group article that I should use pam_listfile but this
didn't help neither.
Here's my current pam config:
sshhost pam.d # cat sshd
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_listfile.so item=user
sense=allow onerr=fail file=/etc/listfile.conf
auth required /lib/security/pam_ldap_pkey.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix.so shadow nullok
use_first_pass
account required /lib/security/pam_listfile.so item=user
sense=allow onerr=fail file=/etc/listfile.conf
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix.so nullok use_authtok
shadow
session required /lib/security/pam_unix.so
If anyone has an idea help would be greatly appreciated.
Regards Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDUY0t+Jpc4lzks7cRAifCAKCY83b76cFeJizrXbwlqBJw5CbB2gCfZRg2
4vYGNSQpiM5paoz7uz3+DPA=
=Lv89
-----END PGP SIGNATURE-----
More information about the Pam-list
mailing list