lists.arthurdejong.org
RSS feed

Re: NSS+LDAP+SSH setup with /home shared across several servers

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: NSS+LDAP+SSH setup with /home shared across several servers



Am Thu, 7 May 2015 11:08:04 +0200
schrieb Rafael Laboissiere <rafael@laboissiere.net>:

> How can an SSH key-pair authentication succeed without knowing 
> which is the user's home directory?

That's the beauty of the separation between NSS and the actual
authentication part in PAM or via SSH keys. The NSS part gives sshd the
account information like home directories via LDAP if configured as
such (via nsswitch.conf). Authenticating users via LDAP would then work
if the PAM module is used.

If sshd does authentication itself, it still has the LDAP information
via NSS. Trust me, it works;-) You just configued things so that

shell$ id $some_user

works to give you information about that user account from LDAP. This
part has nothing to do with PAM. You can then proceed to set up SSH keys
and configure sshd to not allow password logins (make sure to disable
everything except keys, as it would fallback to other enabled methods).

Also, if you want to fetch the SSH keys via LDAP, you can hook any
source into OpenSSH via AuthorizedKeysCommand (`man sshd_config`).


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
Universit├Ąt Hamburg
RRZ / Zentrale Dienste / HPC
Schl├╝terstr. 70
20146 Hamburg
Tel.: 040/42838 8826
Fax: 040/428 38 6270

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/