[Date Prev][Date Next] [Chronological] [Thread] [Top]

ssh certificate ldap

To: openldap-technical@openldap.org
Subject: ssh certificate ldap
From: Peter Gordon <peter@pg-consultants.com>
Date: Wed, 11 Feb 2009 17:08:39 +0200

Hi.

I have the following setup:

pam.d/ssh
#%PAM0.0
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    [success=ok perm_denied=die
default=ignore] /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   sufficient   /lib/security/pam_ldap.so
session    required     /lib/security/pam_unix_session.so


User logins are filtered by the line
pam_filter 
in /etc/ldap.conf. All the conf files are soft links to this file. 

The configuration works for a user without a certificate. Which is to
say, users belonging to the correct group as defined in the filter can
login, others cannot.

If the user has an ssh certificate pair, and the public key appears on
the target, and there is no password needed, the pam_filter is not
used. 

Is there any way to ensure that even users with certificates have to
pass the pam_filter?

Thanks,

Peter

Prev by Date: Re: Block IP address after failure Bind
Next by Date: Openldap RWM/AD Bind
Index(es):
- Chronological
- Thread