[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh public keys and pam



I am not an expert on SSH, but storing the public key in LDAP would only allow you to authenticate the machine against the stored key in LDAP. I am a little bit in the dark as to how you would authenticate the user this way, unless you had the user enter the passphrase used to create the public key and use that as the PAM_AUTHTOK value.

Perhaps some more information on it?

Stanislav Sedov wrote:

On Thu, Oct 20, 2005 at 09:25:42PM +0000, Daniel Jacober wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason

Yes that's exactly what I would like to do.
I would like to store the SSH public keys in an LDAP - Directory
instead of storing them locally.
Then I would like to authenticate against those keys. This way I could
control access to all our servers via LDAP.

I first tried to hack pam_ldap - module but I read about issues in a
newsgroup

http://www.opensolaris.org/jive/thread.jspa?threadID=614&tstart=15

Therefore I tried to make my own module. But I can't find a way to get
the public key into the pam-module. All I get is the password after
SSH pubkey authentication fails.

Any hint on this subject is greatly appreciated.

Regards Daniel

It seems that SSH can't fetch keys using PAM or LDAP. Furthermore,
SSHd don't use PAM in case if user is authentificating using public keys.

You must patch SSHd to fetch keys from LDAP, or write PAM module
that will communicate with ssh client and verify keys manually.
Probably, this can't be achived, because you must initiate
key exchange procedure with client.

_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list


--
Jason Gerfen
Student Computing Labs, University Of Utah
jason gerfen scl utah edu

J. Willard Marriott Library
295 S 1500 E, Salt Lake City, UT 84112-0860
801-585-9810

"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]