lists.arthurdejong.org
RSS feed

NSS+LDAP+SSH setup with /home shared across several servers

[Date Prev][Date Next] [Thread Prev][Thread Next]

NSS+LDAP+SSH setup with /home shared across several servers



First of all, thanks for making nss-pam-ldapd available, which is very valuable.

I am new to NSS and LDAP and I am wondering if I can use nss-pam-ldapd in my specific setup. I am planning to have several servers in a LAN which will share the /home directories using NFS. Of course, the users who will have their home directory on that shared space will be able to log onto any of those servers.

I am also planning to enforce the login to be restricted to SSH key pairs, i.e. no check against Unix passwords. However, I wish also to centralize the user account information (ids, groups, login directories), which will be provided by LDAP. Even though LDAP will be used for storing posixAccount records, my intention is to NOT have userPassword attributes in the database.

AFAIU, if the pam_ldap.so is used for the auth part of PAM, then a password will always be prompted to the user and checked against that provided by the LDAP server.

Here comes my question: would it be possible to bypass the authtok part of pam_ldap.so, but keeping all the account information (ids, groups, and login directory) being managed by NSS+LDAP, and proceed with the SSH key pair for authentication? The advantage of this setup is that users using ssh-agent will not have to type passwords during their sessions.

Thanks in advance for your attention,

Best regards,

Rafael Laboissière
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/