ssh public keys and pam

Daniel Jacober daniel.jacober at gmail.com
Sat Oct 15 23:13:50 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all

After studying documentation and searching google for several hours
I'm posting this message here with the hope to find someone being able
to answer my questions.

Here's what I'm trying to do:
I would like to store my public keys centrally on an LDAP - Server and
redirect public key authentication with PAM to the LDAP - Server. I
read on

http://www.opensolaris.org/jive/thread.jspa?threadID=614&tstart=15

that there are some issues with pam_ldap - module and public key login
so therefore I decided to write my own module.
The only trouble is I can do what ever I want, I can't get the key
sent by the ssh-client into my pam module. It seems as ssh completely
ignores pam when I make login with public keys. If I put
authorized_keys - file in place, the login succeeds without taking
notice of the pam modules. If I remove the files I can't get hold of
the public keys.

I read in a news group article that I should use pam_listfile but this
didn't help neither.
Here's my current pam config:

sshhost pam.d # cat sshd
#%PAM-1.0

auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_listfile.so item=user
sense=allow onerr=fail file=/etc/listfile.conf
auth       required     /lib/security/pam_ldap_pkey.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix.so shadow nullok
use_first_pass

account    required     /lib/security/pam_listfile.so item=user
sense=allow onerr=fail file=/etc/listfile.conf
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_unix.so nullok use_authtok
shadow

session    required     /lib/security/pam_unix.so

If anyone has an idea help would be greatly appreciated.

Regards Daniel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDUY0t+Jpc4lzks7cRAifCAKCY83b76cFeJizrXbwlqBJw5CbB2gCfZRg2
4vYGNSQpiM5paoz7uz3+DPA=
=Lv89
-----END PGP SIGNATURE-----

More information about the Pam-list mailing list