[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh public keys and pam



(the following refers to OpenSSH's sshd and may or may not apply to other implementations.)

Stanislav Sedov wrote:
It seems that SSH can't fetch keys using PAM or LDAP.

For the vanilla distribution that's true. As others have mentioned, there's patches to do this.

Furthermore,
SSHd don't use PAM in case if user is authentificating using public keys.

That's not correct. Even if you're authenticating via public-key, as long as UsePAM is enabled in sshd_config then pam_acct_mgmt(), pam_setcred and pam_open_session() are still used.

You must patch SSHd to fetch keys from LDAP, or write PAM module
that will communicate with ssh client and verify keys manually.
Probably, this can't be achived, because you must initiate
key exchange procedure with client.

There's no mechanism for communicating public key information between a PAM app and PAM modules (at least, none that I'm aware of, and if there is one I would be interested in hearing about it).

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]