[Date Prev][Date Next] [Chronological] [Thread] [Top]

ssh certificate ldap


I have the following setup:

auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    [success=ok perm_denied=die
default=ignore] /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   sufficient   /lib/security/pam_ldap.so
session    required     /lib/security/pam_unix_session.so

User logins are filtered by the line
in /etc/ldap.conf. All the conf files are soft links to this file. 

The configuration works for a user without a certificate. Which is to
say, users belonging to the correct group as defined in the filter can
login, others cannot.

If the user has an ssh certificate pair, and the public key appears on
the target, and there is no password needed, the pam_filter is not

Is there any way to ensure that even users with certificates have to
pass the pam_filter?