RSS feed

Re: combine pam-usb and pam-ldapd ?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: combine pam-usb and pam-ldapd ?

On 12/12/11 06:38, Arthur de Jong wrote:

I would really want to have users authenticated by a private key on a
usb stick, with/without a password.

This seems to be what pam-usb does for local users. Do you think it
would be possible to somehow get the pam-usb functionality into
pam-ldapd ?
You can probably do without libpam_ldapd then, just use libnss_ldapd to
provide the user information from LDAP. You could keep libpam_ldapd
around to do authorisation checks (account expiry) or provide a fallback
authentication mechanism, depending on your PAM config.

I don't have any experience with pam_usb so can't comment on that.
Correctly setup, PAM is designed to be modular. So you can for example, use libnss to provide all the passwd/group information, and then use pam_usb to attempt to authenticate, and then failback to libpam_ldapd on failure. Do some reading into pam (man pam, man pam.conf) and look into required and sufficient. 'sufficient' for example allows this module to authenticate the user, but a failure doesn't deny login if another module authenticates the user successfully. Make sure you do good testing though!

To unsubscribe send an email to or see