Best practices for "pure" remote accounts
James Yu Wang
yuwang at cs.fsu.edu
Fri Oct 20 19:32:11 UTC 2023
Where are the accounts stored?
PAM allows you to stack modules. For example, you can use pam_krb5 to auth
off AD and pam_radius to auth off radius. You stack them in the 'auth'
section in pam.d config file.
You use NSS to get users' uid, gid, homedir, etc information. Nslcd and sssd
can do that. You put pam_ldap or pam_sss in the 'account' section in pam.d
config file and append 'ldap' or 'sss' in the 'passwd' and 'shadow' lines in
/etc/nsswitch.conf.
-----Original Message-----
From: Pam-list <pam-list-bounces at redhat.com> On Behalf Of Philip Prindeville
Sent: Friday, October 20, 2023 3:09 PM
To: Pluggable Authentication Modules <pam-list at redhat.com>
Subject: Re: Best practices for "pure" remote accounts
Yes, this would be for multiple machines.
Also, my understanding is that sssd works with LDAP/AD but not with Radius?
I'd like to find something that works with both.
Looking for a deployment guide that explains how PAM, NSS, and SSSD all fit
together.
> On Oct 19, 2023, at 6:03 AM, James Yu Wang <yuwang at cs.fsu.edu> wrote:
>
> Hello,
>
> Since you only care about username, uid, gid, and loginshell
> (management CLI), If you only have one appliance, then just use the
> /etc/passwd file with pam_unix. If you have multiple appliances, then
> considering centralized authentication and authorization like ldap with
pam_sss.
>
> James
>
> -----Original Message-----
> From: Pam-list <pam-list-bounces at redhat.com> On Behalf Of Philip
> Prindeville
> Sent: Wednesday, October 18, 2023 1:04 PM
> To: pam-list at redhat.com
> Subject: Best practices for "pure" remote accounts
>
> Hi,
>
> I was wondering what the conventional wisdom is in the following
scenario...
>
> I'm working on a downstream distro that uses Debian/Ubuntu bases, and
> we allow users to log into an appliance (or "server", if you prefer,
> but not really). For now we have to go ahead and create a placekeeper
> account with no password for each user for LDAP or Radius
> authentication to work, but I saw some articles on stackoverflow and
elsewhere talking about "authconfig"
> and "nslcd", etc.
>
> Our requirements are such that having a "seed" user that everyone gets
> cloned as is fine, so they can inherit that uid, gid, and
> (nonexistent) home directory as they won't be dropping into a shell
> but into a management CLI instead.
>
> We just need to be able to tell them apart by username.
>
> And we can block access to scp/sftp if needed for that uid/gid so we
> don't have to worry about them creating files since they don't have a
> home directory of their own.
>
> How is this typically solved in the most lightweight way possible?
>
> Thanks,
>
> -Philip
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
>
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list