Group information and PAM

Dennis Leeuw dleeuw at made-it.com
Wed May 6 05:38:57 UTC 2015


Let me start of with mentioning that PAM uses modules and with those 
modules you can create an authentication stack where each module is 
"tried" after the other. This way you can create a stack that does:
check LDAP credentials
check RADIUS credentials
check local credentials
deny access

All this can be done for authentication checking and session checking 
(group information) depending on the different stacks you write and the 
settings in /etc/nsswitch.conf

I hope this answers your questions about the ordering. To answer your 
question about SSH keys, that depends on the schema's in your LDAP 
server and the version of sshd you are using. I have written a little 
document that might help you out:
http://pig.made-it.com/ldap-openssh.html
and while at it the following might help to understand a bit more about 
how you could use PAM modules with LDAP:
http://pig.made-it.com/client-ldap.html

Greetings,

Dennis Leeuw

On 05/05/2015 10:47 PM, JCA wrote:
>     I am very new to PAM, so maybe what I am about to ask is trivial;
> please bear with me.
>
>     I understand how to configure PAM in my Linux system so that
> whenever a user attempts to log in from a given application, the
> authentication will be delegated to a relevant server. I have two
> questions:
>
>    1) Imagine a user trying to log into my system via SSH. When
> authentication is local, that user can resort to public key
> authentication, so that no password will have to be supplied. Based on
> what I know about PAM, public key authentication will not be available
> in general when using an external authentication mechanism - I don't
> think that e.g. RADIUS or LDAP servers support that. So my assumption
> is that once PAM is configured for, say, RADIUS authentication for
> SSH, public key authentication authentication will not be available
> for SSH users any more. Is this correct?
>
>     2) When doing authentication with an LDAP or RADIUS server through
> PAM, is it possible to configure PAM so that the information
> concerning the groups that the user belongs to is obtained from the
> server, rather than locally? Both LDAP and RADIUS servers can easily
> convey that information at the same time as the carry out a successful
> authentication, but it is not clear to me if PAM provides any
> mechanism to make use of it.
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>




More information about the Pam-list mailing list